After figuring it out, I suggested they turn it off - but I basically
got the "dumb blank look". Hard to impose my beliefs on another
company.
: )
-----Original Message-----
From: pkumar [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, May 25, 2000 1:16 PM
To: WBChmura; fw-1-mailinglist
Cc: pkumar
Subject: FW: RE: [FW1] Do I need these two rules?? - FTP problems
too
The best thing to do is turn off ident on wu-ftp. I think it is with a
-I
option, or rejecting
ident on firewall will also help. I did both.
Preet
> -----Original Message-----
> From: bill chmura [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 12:54 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [FW1] Do I need these two rules?? - FTP problems too
>
>
> I was dropping IDENT then I ran into a problem with an external FTP
> server. It was wu-ftp supporting an IDENT lookup. With the Idents
> being dropped it would just hang and never finish connecting.
>
>
>
>
> -----Original Message-----
> From: DMENGEL [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 12:13 PM
> To: fw-1-mailinglist
> Cc: DMENGEL
> Subject: FW: RE: [FW1] Do I need these two rules??
>
>
> Whether or not you include an any-any-ident-reject rule will depend
on
> your
> SMTP mail volume. In an environment where many thousands of SMTP
> messages
> are passing through the firewall in a day, the rule is vital or else
> your
> mail queue will become hopelessly backed up. This happened at one of
my
> v4.1 customers.
>
> Daniel Mengel, MCSE, CCSE
> Info Systems, Inc., Wilmington, DE
> http://www.infosysinc.com
>
>
> -----Original Message-----
> From: Kumar, Preet (Exchange) [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 11:34 AM
> To: 'J�rgen Waibel'; 'Francis Lee'; Dolinar, Jon;
> [EMAIL PROTECTED]
> Subject: RE: [FW1] Do I need these two rules??
>
>
>
> If you reject the ident then the firewall will send back a RST to the
> mailserver and
> there will be no more delay from the mailserver.
> If you drop it then the mailserver will send the ident 3-4 times till
it
> timesout and then proceeds.
> I opted for reject. Faster, No unwanted packets to and from your
> network.
> ;-))
>
> Preet
>
> > -----Original Message-----
> > From: J�rgen Waibel [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, May 25, 2000 10:38 AM
> > To: 'Francis Lee'; Dolinar, Jon;
> > [EMAIL PROTECTED]
> > Subject: AW: [FW1] Do I need these two rules??
> >
> > This is a result of the smtp/ident procedure at all. The
smtp-receiver
> > starts back an ident-request to find out the sending user.If there
is
> no
> > ident service or the request is blocked this will result in the
delay
> > seen. After receiveing a response from the ident server or (after
the
> > timeout) without a response the smtp process will continue as
usuall.
> > SMTP does not depend on a working ident-server and it should even
work
> > totaly without it. And if for 'cosmetic' resons the dropt/rejected
> packets
> > should be in the logfile, why not use a reject rule without logging.
> >
> > -jw
> >
> > -----Urspr�ngliche Nachricht-----
> > Von: Francis Lee [mailto:[EMAIL PROTECTED]]
> > Gesendet: Donnerstag, 25. Mai 2000 15:44
> > An: Dolinar, Jon; [EMAIL PROTECTED]
> > Betreff: RE: [FW1] Do I need these two rules??
> >
> >
> > What I found out from my experience is that, unless I allow ident
to
> the
> > mail server, the mail client will have hard times sending mails.
That
> is,
> > it'll take about 30 seconds for the mail client to send an email to
> the
> > server.
> >
> > Sniffer shows that the initial 3-way handshaking occurs immediately
> but it
> > took a long time (and sometimes the mail client will say there's a
> > connection timeout) to have the mail sent.
> >
> > -fl
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Dolinar, Jon
> > Sent: Thursday, May 25, 2000 9:26 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [FW1] Do I need these two rules??
> >
> >
> >
> > Hmm I tried all 3 ways and it seems some mail servers will not
> > send/receive mail without being able to IDENT?
> >
> > maybe I am wrong but I am struggling with this now.
> >
> > Also could anyone explain why I see packets like this I am
> currently
> > dropping them based on a rule dropping all but IDENT to/from my
> firewall
> >
> > I also have a previous rule accepting and scanning incoming
> SMTP?
> >
> >
> >
> > Service Src Dst
> > Proto S_port
> > varies outside_host MY FIREWALL
> > TCP SMTP
> >
> >
> > -----Original Message-----
> > From: Kumar, Preet (Exchange) [ <mailto:[EMAIL PROTECTED]>]
> > Sent: Thursday, May 25, 2000 9:10 AM
> > To: 'John Gesualdi'; fw
> > Subject: RE: [FW1] Do I need these two rules??
> >
> >
> >
> >
> > Instead of dropping the ident reject them.
> >
> > Preet
> >
> > > -----Original Message-----
> > > From: John Gesualdi [SMTP:[EMAIL PROTECTED]]
> > > Sent: Thursday, May 25, 2000 8:57 AM
> > > To: fw
> > > Subject: Re: [FW1] Do I need these two rules??
> > >
> > >
> > >
> > >
> > > First, thanks to all who have replied on this subject.
> > >
> > > I tried disabling the ident rule, things continued to run
well
> > but I
> > > noticed many
> > > more drops in my firewall logs. Apparently my www,mail and
dns
> > server
> > > located in the
> > > DMZ behind the firewall use ident and without this rule I
get
> many
> > more
> > > drops in my
> > > logs so it's more of a cosmetic problem. I'm probably going
to
> > leave it in
> > > unless
> > > someone else has a better idea?
> > >
> > >
> > >
> > >
> > > John Gesualdi wrote:
> > >
> > > > Hi,
> > > >
> > > > I'm reviewing all the rules in my firewall. I have a
> couple
> > of old
> > > rules
> > > > that don't seem to make sense any longer.
> > > >
> > > > Rule1 = any_host any_destination long_icmp
> drop.
> > This
> > > rule was
> > > > put in a long time ago for the Ping of Death DOS attack.
We
> are
> > running
> > > fw1 vers
> > > > 4.0sp5 on Solaris 2.6. Do I still need this rule?
> > > >
> > > > Rule 2 states that my Web server and dns,smtp server
> located
> > in the
> > > DMZ can
> > > > do "ident" with any host. Why would I need this?
> > > >
> > > > Thankyou.
> > > >
> > > > --
> > > > John Gesualdi
> > > > The Providence Journal Company
> > > > Phone (401)277-8133
> > > > Pager (401)785-6938
> > > > CCDP,CCNP
> > > >
> > > >
> > >
> >
>
========================================================================
> ==
> >
> > > ======
> > > > To unsubscribe from this mailing list, please see the
> > instructions
> > > at
> > > >
> <http://www.checkpoint.com/services/mailing.html>
> >
> > > >
> > >
> >
>
========================================================================
> ==
> >
> > > ======
> > >
> > > --
> > > John Gesualdi
> > > The Providence Journal Company
> > > Phone (401)277-8133
> > > Pager (401)785-6938
> > > CCDP,CCNP
> > >
> > >
> > >
> > >
> > >
> >
>
========================================================================
> ==
> >
> > > ======
> > > To unsubscribe from this mailing list, please see the
> > instructions at
> > >
> <http://www.checkpoint.com/services/mailing.html>
> > >
> >
>
========================================================================
> ==
> >
> > > ======
> >
> >
> >
> >
>
***********************************************************************
> > Bear Stearns is not responsible for any recommendation,
> > solicitation,
> > offer or agreement or any information about any transaction,
> > customer
> > account or account activity contained in this communication.
> >
> >
>
***********************************************************************
> >
> >
> >
> >
> >
>
========================================================================
> ==
> > ======
> > To unsubscribe from this mailing list, please see the
> > instructions at
> >
<http://www.checkpoint.com/services/mailing.html>
> >
> >
>
========================================================================
> ==
> > ======
> >
>
>
>
***********************************************************************
> Bear Stearns is not responsible for any recommendation, solicitation,
> offer or agreement or any information about any transaction, customer
> account or account activity contained in this communication.
>
***********************************************************************
>
>
>
>
========================================================================
> ====
> ====
> To unsubscribe from this mailing list, please see the
instructions
> at
> http://www.checkpoint.com/services/mailing.html
>
========================================================================
> ====
> ====
>
>
>
========================================================================
> ========
> To unsubscribe from this mailing list, please see the
instructions
> at
> http://www.checkpoint.com/services/mailing.html
>
========================================================================
> ========
>
***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
