The RFC you ask about relates to TCP connections; nothing changes from that just because it is smtp. What is most likely occurring is that FW1 has a timeout value and is dropping the connections before the remote servers respond. Check your timeout value for the port 25 "proxy", or whatever FW1 calls it, and increase the value.
Hope this helps, Mickey -----Original Message----- From: Matt Simonsen [mailto:[EMAIL PROTECTED]] Sent: Friday, September 28, 2001 4:55 PM To: Matt Simonsen Cc: [EMAIL PROTECTED] Subject: Re: Traffic from port 25 to high ports? Wow - this was delayed. I have since found out that SMTP traffic goes from a high port > 25 and then from 25 > the same high port. My firewall is supposed to keep state - if it is I don't see why the packets are missed by that. Perhaps they are changing the high port they are sent back to? Is there anything in the RFCs that says a server *must* use the same return high port after having a client connect to it's port 25? Perhaps I should just block and ignore the traffic, but I wish I knew what they were. Even with them being blocked mail still goes out so it seems the firewall is keeping state properly, at least in most of the scanerios. Matt Simonsen wrote: > I am seeing traffic regularly coming from remote servers' port 25 > destined to our servers' high ports, generally in the 1-3k range. Is > this normal? I plan to block it all, from what I understand SMTP goes > only from 25 to 25, but if that's the case I can't figure out what > this would be. > > According to our IPFilter logs the traffic generally has -AFP set, > please let me know off-line if a tidbit of info I could provide can > help you answer my question. > > Thanks > Matt Simonsen >
