NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Weird problem with the firewall: help needed



Looks like some hosts are not being able to contact us
back when stablishing a
TCP connection. Here is what i found using tcpdump
(mail server, firewall):

With www.yahoo.com, port 80:
[root@lnxsrv0006 root]# tcpdump -i eth0 -n -p host
www.yahoo.com
tcpdump: listening on eth0
12:29:24.044723 192.168.0.19.55224 >
64.58.76.223.http: S 33338910:33338910(0)
win 5840 <mss 1460,sackOK,timestamp 156243036
0,nop,wscale 0> (DF) [tos 0x10]
12:29:24.054724 64.58.76.223.http >
192.168.0.19.55224: S:(0) ack 33338911 win 65535 <mss
1460,nop,wscale
1,nop,nop,timestamp43036>
12:29:24.054724 192.168.0.19.55224 >
64.58.76.223.http: . ack 1 win 5840
<nop,nop,timestamp24949> (DF) [tos
0x10]
12:29:26.404952 192.168.0.19.55224 >
64.58.76.223.http: P 1:9(8) ack 1 win 5840
<nop,nop,timestamp24949> (DF) [tos
0x10]
12:29:26.414953 64.58.76.223.http >
192.168.0.19.55224: F 903:903(0) ack 9 win
33304 <nop,nop,timestamp43272> (DF)
12:29:26.414953 192.168.0.19.55224 >
64.58.76.223.http: . ack 1 win 5840
<nop,nop,timestamp24949> (DF) [tos
0x10]
12:29:26.414953 64.58.76.223.http >
192.168.0.19.55224: P 1:903(902) ack 9 win
33304 <nop,nop,timestamp43272> (DF)
12:29:26.414953 192.168.0.19.55224 >
64.58.76.223.http: . ack 904 win 7216
<nop,nop,timestamp25185> (DF) [tos
0x10]
12:29:26.424954 192.168.0.19.55224 >
64.58.76.223.http: F 9:9(0) ack 904 win
7216 <nop,nop,timestamp25185> (DF) [tos
0x10]
12:29:26.434955 64.58.76.223.http >
192.168.0.19.55224: . ack 10 win 33304
<nop,nop,timestamp43274> (DF)


[root@lnxsrv0006 mqueue]# telnet www.yahoo.com 80
Trying 64.58.76.223...
Connected to www.yahoo.com.
Escape character is '^]'.
asdasd
<html><head><title>Yahoo! -
501 Method Not
Implemented</title></head><body><center><table
width="94%" cellpadding=4 cellspacing=0><tr><td
width="1%"><a href=http://www.yahoo.com><img
src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif
alt="Yahoo!"
width=147 height=31 border=0></a></td><td align=right
nowrap valign=bottom><font face=Arial size=-1><a
href=http://help.yahoo.com>Help</a></font><hr
size=1 noshade></td></tr></table><table width="94%"
cellpadding=4 cellspacing=0><tr><td
bgcolor=a0b8c8><font
size=+1 face=Arial><b>Method Not
Implemented</b></font></td></tr><tr><td>
asdasd to /index.html not supported.<P>
<p><center><hr size=1 noshade><font size=-2
face=Arial>Copyright
&copy; 2002 Yahoo! Inc. All rights reserved.
<a href=http://privacy.yahoo.com>Privacy Policy</a> -
<a href=http://docs.yahoo.com/info/terms/>Terms of
Service</a></font></center></td></tr></table></center></body></html>
Connection closed by foreign host.


With carrotcapital.com, port 80:

[root@lnxsrv0006 root]# tcpdump -i eth0 -n -p host
www.carrotcapital.com
tcpdump: listening on eth0
12:31:43.748319 192.168.0.19.55228 >
161.58.168.104.http: S
180388288:180388288(0) win 5840 <mss
1460,sackOK,timestamp 156257005
0,nop,wscale 0> (DF) [tos 0x10]
12:31:46.748611 192.168.0.19.55228 >
161.58.168.104.http: S
180388288:180388288(0) win 5840 <mss
1460,sackOK,timestamp 156257305
0,nop,wscale 0> (DF) [tos 0x10]
12:31:52.749195 192.168.0.19.55228 >
161.58.168.104.http: S
180388288:180388288(0) win 5840 <mss
1460,sackOK,timestamp 156257905
0,nop,wscale 0> (DF) [tos 0x10]
12:32:04.750363 192.168.0.19.55228 >
161.58.168.104.http: S
180388288:180388288(0) win 5840 <mss
1460,sackOK,timestamp 156259105
0,nop,wscale 0> (DF) [tos 0x10]
12:32:28.752699 192.168.0.19.55228 >
161.58.168.104.http: S
180388288:180388288(0) win 5840 <mss
1460,sackOK,timestamp 156261505
0,nop,wscale 0> (DF) [tos 0x10]
12:33:16.757371 192.168.0.19.55228 >
161.58.168.104.http: S
180388288:180388288(0) win 5840 <mss
1460,sackOK,timestamp 156266305
0,nop,wscale 0> (DF) [tos 0x10]


[root@lnxsrv0006 mqueue]# telnet www.carrotcapital.com
80
Trying 161.58.168.104...
telnet: connect to address 161.58.168.104: Connection
timed out

Packet trace from the firewall:

tcpdump: listening on eth-s1p1c0
17:54:17.834569 63.211.90.117.55305 >
161.58.168.104.80: S:(0) win 5840 <mss
1460,sackOK,timestamp 156752368[|tcp]>
(DF) [tos 0x10]
17:54:20.833700 63.211.90.117.55305 >
161.58.168.104.80: S:(0) win 5840 <mss
1460,sackOK,timestamp 156752668[|tcp]>
(DF) [tos 0x10]
17:54:26.833789 63.211.90.117.55305 >
161.58.168.104.80: S:(0) win 5840 <mss
1460,sackOK,timestamp 156753268[|tcp]>
(DF) [tos 0x10]
17:54:38.833929 63.211.90.117.55305 >
161.58.168.104.80: S:(0) win 5840 <mss
1460,sackOK,timestamp 156754468[|tcp]>
(DF) [tos 0x10]
17:55:02.834415 63.211.90.117.55305 >
161.58.168.104.80: S:(0) win 5840 <mss
1460,sackOK,timestamp 156756868[|tcp]>
(DF) [tos 0x10]

Looks like the 3way handshake is not being completed
for some addresses; Rigth
now i'm not able to confirm if the problem is ours
(firewall or ISP).

The Nokia log tool doesn't show anything weird andwe
don't have a rule that blocks some domains and allow
others (actually we allow our machines to talk with
the outside world without a problem).

Has anyone has faced this problem before?
What else i can do to be sure than is the firewall and
not something else that is giving us problems?

Thanks in advance.


JV

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.