Jefferson Ogata wrote:Okay, and does tcpdump on 10.0.1.10 see the SYN packet? Is there a socket on 10.0.1.10 in SYN_SENT or SYN_RECV state (use netstat -an)? Is there a packet filter on 10.0.1.10?
Yes, I got some data from there:
17:17:07.758787 2xx.xxx.xxx.195.1269 > bacalhau.ssp-go.net.smtp: S 4007012385:4007012385(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 10978099 0> (DF) [tos 0x10]
17:17:07.759219 bacalhau.ssp-go.net.smtp > 2xx.xxx.xxx.195.1269: S 2475148654:2475148654(0) ack 4007012386 win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 184386380 10978099> (DF)
17:17:07.816758 2xx.xxx.xxx.195.1269 > bacalhau.ssp-go.net.smtp: R 4007012386:4007012386(0) win 0 (DF)
[snip]
But no SYN_SENT or SYN_RECV on 10.0.1.10 (bacalhau.ssp-go.net). No packet filter instaled.
It appears 2xx.xxx.xxx.195 is sending an RST back in response to the SYN/ACK. Run tcpdump on 2xx.xxx.xxx.195 and on bacalhau at the same time and compare port numbers. Maybe the SYN/ACK packet from bacalhau is getting portmapped somehow on the way back out. Or there's a packet filter on 2xx.xxx.xxx.195 that's refusing the return traffic.
Also, can you telnet from the firewall to 10.0.1.10 port 25?
Yes, I can.
And I assume that bacalhau isn't dual-homed or anything weird like that...
Any relation to Nana Vasconcelos? I know it's a common enough name -- just had to ask, because he is quite the awesome musician.
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
