Whether or not you include an any-any-ident-reject rule will depend on your
SMTP mail volume. In an environment where many thousands of SMTP messages
are passing through the firewall in a day, the rule is vital or else your
mail queue will become hopelessly backed up. This happened at one of my
v4.1 customers.
Daniel Mengel, MCSE, CCSE
Info Systems, Inc., Wilmington, DE
http://www.infosysinc.com
-----Original Message-----
From: Kumar, Preet (Exchange) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 25, 2000 11:34 AM
To: 'J�rgen Waibel'; 'Francis Lee'; Dolinar, Jon;
[EMAIL PROTECTED]
Subject: RE: [FW1] Do I need these two rules??
If you reject the ident then the firewall will send back a RST to the
mailserver and
there will be no more delay from the mailserver.
If you drop it then the mailserver will send the ident 3-4 times till it
timesout and then proceeds.
I opted for reject. Faster, No unwanted packets to and from your network.
;-))
Preet
> -----Original Message-----
> From: J�rgen Waibel [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 10:38 AM
> To: 'Francis Lee'; Dolinar, Jon;
> [EMAIL PROTECTED]
> Subject: AW: [FW1] Do I need these two rules??
>
> This is a result of the smtp/ident procedure at all. The smtp-receiver
> starts back an ident-request to find out the sending user.If there is no
> ident service or the request is blocked this will result in the delay
> seen. After receiveing a response from the ident server or (after the
> timeout) without a response the smtp process will continue as usuall.
> SMTP does not depend on a working ident-server and it should even work
> totaly without it. And if for 'cosmetic' resons the dropt/rejected packets
> should be in the logfile, why not use a reject rule without logging.
>
> -jw
>
> -----Urspr�ngliche Nachricht-----
> Von: Francis Lee [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 25. Mai 2000 15:44
> An: Dolinar, Jon; [EMAIL PROTECTED]
> Betreff: RE: [FW1] Do I need these two rules??
>
>
> What I found out from my experience is that, unless I allow ident to the
> mail server, the mail client will have hard times sending mails. That is,
> it'll take about 30 seconds for the mail client to send an email to the
> server.
>
> Sniffer shows that the initial 3-way handshaking occurs immediately but it
> took a long time (and sometimes the mail client will say there's a
> connection timeout) to have the mail sent.
>
> -fl
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Dolinar, Jon
> Sent: Thursday, May 25, 2000 9:26 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [FW1] Do I need these two rules??
>
>
>
> Hmm I tried all 3 ways and it seems some mail servers will not
> send/receive mail without being able to IDENT?
>
> maybe I am wrong but I am struggling with this now.
>
> Also could anyone explain why I see packets like this I am currently
> dropping them based on a rule dropping all but IDENT to/from my firewall
>
> I also have a previous rule accepting and scanning incoming SMTP?
>
>
>
> Service Src Dst
> Proto S_port
> varies outside_host MY FIREWALL
> TCP SMTP
>
>
> -----Original Message-----
> From: Kumar, Preet (Exchange) [ <mailto:[EMAIL PROTECTED]>]
> Sent: Thursday, May 25, 2000 9:10 AM
> To: 'John Gesualdi'; fw
> Subject: RE: [FW1] Do I need these two rules??
>
>
>
>
> Instead of dropping the ident reject them.
>
> Preet
>
> > -----Original Message-----
> > From: John Gesualdi [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, May 25, 2000 8:57 AM
> > To: fw
> > Subject: Re: [FW1] Do I need these two rules??
> >
> >
> >
> >
> > First, thanks to all who have replied on this subject.
> >
> > I tried disabling the ident rule, things continued to run well
> but I
> > noticed many
> > more drops in my firewall logs. Apparently my www,mail and dns
> server
> > located in the
> > DMZ behind the firewall use ident and without this rule I get many
> more
> > drops in my
> > logs so it's more of a cosmetic problem. I'm probably going to
> leave it in
> > unless
> > someone else has a better idea?
> >
> >
> >
> >
> > John Gesualdi wrote:
> >
> > > Hi,
> > >
> > > I'm reviewing all the rules in my firewall. I have a couple
> of old
> > rules
> > > that don't seem to make sense any longer.
> > >
> > > Rule1 = any_host any_destination long_icmp drop.
> This
> > rule was
> > > put in a long time ago for the Ping of Death DOS attack. We are
> running
> > fw1 vers
> > > 4.0sp5 on Solaris 2.6. Do I still need this rule?
> > >
> > > Rule 2 states that my Web server and dns,smtp server located
> in the
> > DMZ can
> > > do "ident" with any host. Why would I need this?
> > >
> > > Thankyou.
> > >
> > > --
> > > John Gesualdi
> > > The Providence Journal Company
> > > Phone (401)277-8133
> > > Pager (401)785-6938
> > > CCDP,CCNP
> > >
> > >
> >
> ==========================================================================
>
> > ======
> > > To unsubscribe from this mailing list, please see the
> instructions
> > at
> > > <http://www.checkpoint.com/services/mailing.html>
>
> > >
> >
> ==========================================================================
>
> > ======
> >
> > --
> > John Gesualdi
> > The Providence Journal Company
> > Phone (401)277-8133
> > Pager (401)785-6938
> > CCDP,CCNP
> >
> >
> >
> >
> >
> ==========================================================================
>
> > ======
> > To unsubscribe from this mailing list, please see the
> instructions at
> > <http://www.checkpoint.com/services/mailing.html>
> >
> ==========================================================================
>
> > ======
>
>
>
> ***********************************************************************
> Bear Stearns is not responsible for any recommendation,
> solicitation,
> offer or agreement or any information about any transaction,
> customer
> account or account activity contained in this communication.
>
> ***********************************************************************
>
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the
> instructions at
> <http://www.checkpoint.com/services/mailing.html>
>
> ==========================================================================
> ======
>
***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
