Inbound Mail Server Connect and Reject by Firewall - TCP-IP

This is a discussion on Inbound Mail Server Connect and Reject by Firewall - TCP-IP ; A remote mail server connects to our mail server and sends a TCP SYN. Our mail server replies with SYN-ACK, but this is immediately responded to by the foreign server with an ICMP packet that Wireshark shows as "ICMP Destination ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Inbound Mail Server Connect and Reject by Firewall

  1. Inbound Mail Server Connect and Reject by Firewall

    A remote mail server connects to our mail server and sends a TCP SYN. Our
    mail server replies with SYN-ACK, but this is immediately responded to by
    the foreign server with an ICMP packet that Wireshark shows as "ICMP
    Destination unreachable (host administratively prohibited)".

    Why would the remote server respond to our SYN-ACK with an ICMP? Is this
    some kind of optimization they have done because of their volume of traffic?
    I don't understand how TCP would work at all if they don't allow a SYN-ACK.

    In terms of what I need to allow to pass through our firewall, what kind of
    ICMP packet is the above, and is there a way to allow incoming ICMP of just
    this one type using an older Checkpoint?

    --
    Will



  2. Re: Inbound Mail Server Connect and Reject by Firewall

    I forgot to add that our mail host replies to these strange ICMP messages
    with a [TCP Zerowindow] as seen in Wireshark. The remote mail host then
    replies again the ICMP Destination unreachable and eventually the whole
    session is killed by the firewall as a SYN attack (which it isn't but the
    SYN-ACK exchange isn't happening and the firewall cannot make much sense of
    this traffic pattern).

    Any help in understanding:

    1) Why this traffic pattern happens

    2) What is wrong on the remote sendmail host or its router to cause this
    behavior?

    --
    Will


    "Will" wrote in message
    news:kpadndDiwL44zMfanZ2dnUVZ_oytnZ2d@giganews.com ...
    >A remote mail server connects to our mail server and sends a TCP SYN. Our
    >mail server replies with SYN-ACK, but this is immediately responded to by
    >the foreign server with an ICMP packet that Wireshark shows as "ICMP
    >Destination unreachable (host administratively prohibited)".
    >
    > Why would the remote server respond to our SYN-ACK with an ICMP? Is this
    > some kind of optimization they have done because of their volume of
    > traffic? I don't understand how TCP would work at all if they don't allow
    > a SYN-ACK.
    >
    > In terms of what I need to allow to pass through our firewall, what kind
    > of ICMP packet is the above, and is there a way to allow incoming ICMP of
    > just this one type using an older Checkpoint?
    >
    > --
    > Will
    >




  3. Re: Inbound Mail Server Connect and Reject by Firewall

    On Sat, 08 Dec 2007 00:27:21 -0800, Will wrote:

    > I forgot to add that our mail host replies to these strange ICMP
    > messages with a [TCP Zerowindow] as seen in Wireshark. The remote mail
    > host then replies again the ICMP Destination unreachable and eventually
    > the whole session is killed by the firewall as a SYN attack (which it
    > isn't but the SYN-ACK exchange isn't happening and the firewall cannot
    > make much sense of this traffic pattern).
    >
    > Any help in understanding:
    >
    > 1) Why this traffic pattern happens
    >
    > 2) What is wrong on the remote sendmail host or its router to cause this
    > behavior?


    The remote router allows packets out, but not in. A crude but effective
    way to disallow traffic, but one with side effects. Why your mailserver
    "responds" to those icmp unreachables is hard to say, but tcp should not
    react to icmp unreachables. Are you sure those are not simply
    retransmissions?

    HTH,
    M4

  4. Re: Inbound Mail Server Connect and Reject by Firewall

    Hello,

    Martijn Lievaart a écrit :
    > On Sat, 08 Dec 2007 00:27:21 -0800, Will wrote:
    >
    >>2) What is wrong on the remote sendmail host or its router to cause this
    >>behavior?

    >
    > The remote router allows packets out, but not in.


    Or it doesn't like a TCP/IP option that your server uses, or the source
    address may have been spoofed.

  5. Re: Inbound Mail Server Connect and Reject by Firewall

    In comp.security.firewalls Pascal Hambourg wrote:
    > Martijn Lievaart a écrit :
    >> On Sat, 08 Dec 2007 00:27:21 -0800, Will wrote:
    >>> 2) What is wrong on the remote sendmail host or its router to cause
    >>> this behavior?

    >>
    >> The remote router allows packets out, but not in.

    >
    > Or it doesn't like a TCP/IP option that your server uses, or the
    > source address may have been spoofed.


    I'd suspect the latter. Maybe an idle-scan.

    F'up2csf

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

+ Reply to Thread