Hi all, I'm using Proventia G100 with FW rule and having some troubles. Does anyone know how proventia G FW function works?
Currently, my Proventia G FW rule has several rules like this; #1 adapter any ip src addr any dst addr any tcp dst port 25 MONITOR #18 adapter any ip src addr any dst addr any DROP so, all SMTP connections are supporsed to be MONITORED by rule #1 and rule #18 should be worked as a clean-up rule. allmost all SMTP connection are passed but some of them are dropped by clean-up rule according to fw log. 2005/06/22,18:03:29,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:03:29,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:03:30,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:03:30,18,TCP,67.28.114.35,192.168.1.70,25,2144,DROP 2005/06/22,18:03:31,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:03:31,18,TCP,67.28.114.35,192.168.1.70,25,2144,DROP 2005/06/22,18:03:34,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:03:34,18,TCP,67.28.114.35,192.168.1.70,25,2144,DROP 2005/06/22,18:03:39,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:03:39,18,TCP,67.28.114.35,192.168.1.70,25,2144,DROP 2005/06/22,18:03:49,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:04:09,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:04:49,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR 2005/06/22,18:06:10,1,TCP,192.168.1.70,67.28.114.35,2144,25,MONITOR As you can see, dropped packets seem to be reply packets from SMTP server. I've tried to figure out what's going on and it seems FW rule drops *retransmitted* FIN/ACK packets . I used ethereal and found several retransmitted FIN+ACK packets from client to SMTP server to get ACK packet from SMTP server to close. Since SMTP server already sent ACK packet to close session, Proventia G FW rule #1 doesn't think it belongs to established SMTP connection. That's my guess and I need Proventia G FW detailed information to explain this behavior. Any information would be greatly appreciated. Thank you, --- Tetsuo Okuda _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
