-----Urspr�ngliche Nachricht-----
Von: Francis Lee [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 25. Mai 2000 15:44
An: Dolinar, Jon; [EMAIL PROTECTED]
Betreff: RE: [FW1] Do I need these two rules??What I found out from my experience is that, unless I allow ident to the mail server, the mail client will have hard times sending mails. That is, it'll take about 30 seconds for the mail client to send an email to the server.Sniffer shows that the initial 3-way handshaking occurs immediately but it took a long time (and sometimes the mail client will say there's a connection timeout) to have the mail sent.-fl-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dolinar, Jon
Sent: Thursday, May 25, 2000 9:26 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [FW1] Do I need these two rules??Hmm I tried all 3 ways and it seems some mail servers will not send/receive mail without being able to IDENT?
maybe I am wrong but I am struggling with this now.
Also could anyone explain why I see packets like this I am currently dropping them based on a rule dropping all but IDENT to/from my firewall
I also have a previous rule accepting and scanning incoming SMTP?
Service Src Dst Proto S_port
varies outside_host MY FIREWALL TCP SMTP
-----Original Message-----
From: Kumar, Preet (Exchange) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 25, 2000 9:10 AM
To: 'John Gesualdi'; fw
Subject: RE: [FW1] Do I need these two rules??
Instead of dropping the ident reject them.
Preet
> -----Original Message-----
> From: John Gesualdi [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 8:57 AM
> To: fw
> Subject: Re: [FW1] Do I need these two rules??
>
>
>
>
> First, thanks to all who have replied on this subject.
>
> I tried disabling the ident rule, things continued to run well but I
> noticed many
> more drops in my firewall logs. Apparently my www,mail and dns server
> located in the
> DMZ behind the firewall use ident and without this rule I get many more
> drops in my
> logs so it's more of a cosmetic problem. I'm probably going to leave it in
> unless
> someone else has a better idea?
>
>
>
>
> John Gesualdi wrote:
>
> > Hi,
> >
> > I'm reviewing all the rules in my firewall. I have a couple of old
> rules
> > that don't seem to make sense any longer.
> >
> > Rule1 = any_host any_destination long_icmp drop. This
> rule was
> > put in a long time ago for the Ping of Death DOS attack. We are running
> fw1 vers
> > 4.0sp5 on Solaris 2.6. Do I still need this rule?
> >
> > Rule 2 states that my Web server and dns,smtp server located in the
> DMZ can
> > do "ident" with any host. Why would I need this?
> >
> > Thankyou.
> >
> > --
> > John Gesualdi
> > The Providence Journal Company
> > Phone (401)277-8133
> > Pager (401)785-6938
> > CCDP,CCNP
> >
> >
> ==========================================================================
> ======
> > To unsubscribe from this mailing list, please see the instructions
> at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======
>
> --
> John Gesualdi
> The Providence Journal Company
> Phone (401)277-8133
> Pager (401)785-6938
> CCDP,CCNP
>
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
Title: RE: [FW1] Do I need these two rules??
This
is a result of the smtp/ident procedure at all. The smtp-receiver starts back an
ident-request to find out the sending user.If there is no ident service or the
request is blocked this will result in the delay seen. After
receiveing a response from the ident server or (after the timeout) without a
response the smtp process will continue as usuall.
SMTP
does not depend on a working ident-server and it should even work totaly without
it. And if for 'cosmetic' resons the dropt/rejected packets should be in the
logfile, why not use a reject rule without logging.
-jw
