Usually, high port numbers are assigned to clients. Clients on VM include FTP, TELNET, NFS, and Charlotte (web browser).
All the more reason why they MUST get you the contents of (some of) the p ackets. With that you might be able to identify which client. Why did they think it was email, if they could not see the contents of the packets? I think you would have to run a TCPIP trace to determine who is using tho se ports. You might want to open an incident with IBM to get instructions for the trace. If someone is running a server on such ports, you should be able to see t hat in NETSTAT CONN, under "Local Socket". You might have to run it repeatedly , if they only act as a server for a short time. Alan.dot.Ackerman.at.Bank of America.dot.com On Fri, 20 Oct 2006 09:17:06 -0700, Schuh, Richard <[EMAIL PROTECTED]> wrot e: >The people monitoring the firewall logs, InfoSec, are saying that the pa ckets are coming to the firewall from VM. Originally, they told us it was e-mail. We had them con firm this with Cisco and, they have had to retreat from that stand. It is apparently a generic "TCP packet" that has "no associated connection in the firewall unit's connection table." > >While we were going down the e-mail blind alley, we could find no eviden ce confirming that assertion. I have looked at all spooled console logs, not just those belo nging to the TCPIP suite, and all disk log files maintained by the TCP gang, and can find nothing o ut of the ordinary. > >One thing that seems constant is that the packets are usually sent from some high, 19nnn-29nnn, port numbers. Does that ring a bell with someone or suggest some place to look for a culprit? > >Sigh! I think that it is about time for us to join the orbital referral circle. > >Regards, >Richard Schuh > >P.S. I can only set up lunch if They agree to pay Their own travel expen ses. There are too many different cities involved. If They also agree to pay mine, I can arrange for it to be in some exotic location. > > >> -----Original Message----- >> From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] >> Behalf Of Alan Altmark >> Sent: Friday, October 20, 2006 6:43 AM >> To: IBMVM@LISTSERV.UARK.EDU >> Subject: Re: SMTP Verify Client Exit >> >> >> On Thursday, 10/19/2006 at 03:28 MST, "Schuh, Richard" >> <[EMAIL PROTECTED]> >> wrote: >> > Thanks, Miguel. That solves the mystery of Verify Client. >> Since we are >> not >> > allowed to receive mail, our problem (flooding a firewall with >> disconnected >> > packets) is not likely to be solved with that exit. >> Originally, we were >> told >> > that it was e-mail. Today, we got firewall monitors to check the >> message >> > meaning, and the word from Cisco that it is a generic >> "packet that has >> no >> > specific connection in the firewall unit's connection table", not >> specifically >> > e-mail. >> >> Help me out, Richard. You've got bogus packets hitting the >> firewall and >> the firewall is letting them through to hit your VM system? Or is it >> (properly) dropping them? Is the firewall logging the origin >> info? Or >> are they saying the VM system is generating the bad packets? >> >> What is it They expect you to do? If They insist, call the network >> support folks and tell them to call the Security folks. You >> can set up >> lunch for them. :-) >> >> Alan Altmark >> z/VM Development >> IBM Endicott >> >======================== ========================= ========== =============