If you reject the ident then the firewall will send back a RST to the
mailserver and
there will be no more delay from the mailserver.
If you drop it then the mailserver will send the ident 3-4 times till it
timesout and then proceeds.
I opted for reject. Faster, No unwanted packets to and from your network.
;-))
Preet
> -----Original Message-----
> From: J�rgen Waibel [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 10:38 AM
> To: 'Francis Lee'; Dolinar, Jon;
> [EMAIL PROTECTED]
> Subject: AW: [FW1] Do I need these two rules??
>
> This is a result of the smtp/ident procedure at all. The smtp-receiver
> starts back an ident-request to find out the sending user.If there is no
> ident service or the request is blocked this will result in the delay
> seen. After receiveing a response from the ident server or (after the
> timeout) without a response the smtp process will continue as usuall.
> SMTP does not depend on a working ident-server and it should even work
> totaly without it. And if for 'cosmetic' resons the dropt/rejected packets
> should be in the logfile, why not use a reject rule without logging.
>
> -jw
>
> -----Urspr�ngliche Nachricht-----
> Von: Francis Lee [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 25. Mai 2000 15:44
> An: Dolinar, Jon; [EMAIL PROTECTED]
> Betreff: RE: [FW1] Do I need these two rules??
>
>
> What I found out from my experience is that, unless I allow ident to the
> mail server, the mail client will have hard times sending mails. That is,
> it'll take about 30 seconds for the mail client to send an email to the
> server.
>
> Sniffer shows that the initial 3-way handshaking occurs immediately but it
> took a long time (and sometimes the mail client will say there's a
> connection timeout) to have the mail sent.
>
> -fl
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Dolinar, Jon
> Sent: Thursday, May 25, 2000 9:26 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [FW1] Do I need these two rules??
>
>
>
> Hmm I tried all 3 ways and it seems some mail servers will not
> send/receive mail without being able to IDENT?
>
> maybe I am wrong but I am struggling with this now.
>
> Also could anyone explain why I see packets like this I am currently
> dropping them based on a rule dropping all but IDENT to/from my firewall
>
> I also have a previous rule accepting and scanning incoming SMTP?
>
>
>
> Service Src Dst
> Proto S_port
> varies outside_host MY FIREWALL
> TCP SMTP
>
>
> -----Original Message-----
> From: Kumar, Preet (Exchange) [ <mailto:[EMAIL PROTECTED]>]
> Sent: Thursday, May 25, 2000 9:10 AM
> To: 'John Gesualdi'; fw
> Subject: RE: [FW1] Do I need these two rules??
>
>
>
>
> Instead of dropping the ident reject them.
>
> Preet
>
> > -----Original Message-----
> > From: John Gesualdi [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, May 25, 2000 8:57 AM
> > To: fw
> > Subject: Re: [FW1] Do I need these two rules??
> >
> >
> >
> >
> > First, thanks to all who have replied on this subject.
> >
> > I tried disabling the ident rule, things continued to run well
> but I
> > noticed many
> > more drops in my firewall logs. Apparently my www,mail and dns
> server
> > located in the
> > DMZ behind the firewall use ident and without this rule I get many
> more
> > drops in my
> > logs so it's more of a cosmetic problem. I'm probably going to
> leave it in
> > unless
> > someone else has a better idea?
> >
> >
> >
> >
> > John Gesualdi wrote:
> >
> > > Hi,
> > >
> > > I'm reviewing all the rules in my firewall. I have a couple
> of old
> > rules
> > > that don't seem to make sense any longer.
> > >
> > > Rule1 = any_host any_destination long_icmp drop.
> This
> > rule was
> > > put in a long time ago for the Ping of Death DOS attack. We are
> running
> > fw1 vers
> > > 4.0sp5 on Solaris 2.6. Do I still need this rule?
> > >
> > > Rule 2 states that my Web server and dns,smtp server located
> in the
> > DMZ can
> > > do "ident" with any host. Why would I need this?
> > >
> > > Thankyou.
> > >
> > > --
> > > John Gesualdi
> > > The Providence Journal Company
> > > Phone (401)277-8133
> > > Pager (401)785-6938
> > > CCDP,CCNP
> > >
> > >
> >
> ==========================================================================
>
> > ======
> > > To unsubscribe from this mailing list, please see the
> instructions
> > at
> > > <http://www.checkpoint.com/services/mailing.html>
>
> > >
> >
> ==========================================================================
>
> > ======
> >
> > --
> > John Gesualdi
> > The Providence Journal Company
> > Phone (401)277-8133
> > Pager (401)785-6938
> > CCDP,CCNP
> >
> >
> >
> >
> >
> ==========================================================================
>
> > ======
> > To unsubscribe from this mailing list, please see the
> instructions at
> > <http://www.checkpoint.com/services/mailing.html>
> >
> ==========================================================================
>
> > ======
>
>
>
> ***********************************************************************
> Bear Stearns is not responsible for any recommendation,
> solicitation,
> offer or agreement or any information about any transaction,
> customer
> account or account activity contained in this communication.
>
> ***********************************************************************
>
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the
> instructions at
> <http://www.checkpoint.com/services/mailing.html>
>
> ==========================================================================
> ======
>
***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
