Hello,
I am being plagued by users wanting to work (or play?) with AOL's instant
messenger service (AIM) through my Firewall 1 (4.0 on Solaris). They are
having intermittent problems with receiving new message session attempts
and having to log in repeatedly. I am seeing dropped packets in the
firewall log that originate at AOL's servers.
I see the AIM client connecting to the AIM servers every 5 minutes and what
looks like the AIM servers attempting to start new TCP sessions back to the
clients every five minutes and whenever someone tries to start a new AIM
messaging session with one of my users. It does not look like the TCP
session is timing out, rather like the AIM servers are trying to establish
new sessions to the source ports our workstations use to connect to AIM.
The AIM TCP port (5190) shows up as the source ports of these attempts.
Has anyone else run into this? Are these just session timeouts that are
not being logged correctly? Can anyone think of a way to allow these
inbound sessions when I cannot know what ports they will be coming to (I
don't see a way to create a rule based solely on the TCP source port -- it
is requiring me to enter a destination port)?
And a related question: What is a good TCP timeout to set on the firewall?
Here is a log snippet showing a typical session from the time I open the
AIM client to about 30 minutes later:
DATE TIME ACTION Service SourceIP DestIP Protocol
SourcePort
1Aug2000 8:33:19 accept AOL MYWorkstation 152.163.242.24 tcp 1317
1Aug2000 8:33:20 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 8:33:22 accept AOL MYWorkstation 205.188.4.112 tcp 1321
1Aug2000 8:33:22 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 8:33:23 accept AOL MYWorkstation 152.163.241.90 tcp 1322
1Aug2000 8:38:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 8:38:18 accept AOL MYWorkstation 205.188.4.112 tcp 1321
1Aug2000 8:38:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 8:43:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 8:43:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 8:43:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
1Aug2000 8:43:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
1Aug2000 8:48:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 8:48:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 8:48:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
1Aug2000 8:48:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
1Aug2000 8:53:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 8:53:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 8:53:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
1Aug2000 8:53:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
1Aug2000 8:53:44 accept AOL MYWorkstation 152.163.241.92 tcp 1362
1Aug2000 8:58:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 8:58:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 8:58:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
1Aug2000 9:03:19 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 9:03:19 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 9:03:19 drop 1318 152.163.244.93 MYWorkstation tcp AOL
1Aug2000 9:03:19 drop 1320 205.188.6.209 MYWorkstation tcp AOL
1Aug2000 9:08:19 accept AOL MYWorkstation 152.163.244.93 tcp 1318
1Aug2000 9:08:19 accept AOL MYWorkstation 205.188.6.209 tcp 1320
1Aug2000 9:08:19 drop 1318 152.163.244.93 MYWorkstation tcp AOL
1Aug2000 9:08:19 drop 1320 205.188.6.209 MYWorkstation tcp AOL
Thanks for your time,
Matt Ruehlen
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
