Inbound Mail Server Connect and Reject by Firewall

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
A remote mail server connects to our mail server and sends a TCP SYN.   Our
mail server replies with SYN-ACK, but this is immediately responded to by
the foreign server with an ICMP packet that Wireshark shows as "ICMP
Destination unreachable (host administratively prohibited)".

Why would the remote server respond to our SYN-ACK with an ICMP?  Is this
some kind of optimization they have done because of their volume of traffic?
I don't understand how TCP would work at all if they don't allow a SYN-ACK.

In terms of what I need to allow to pass through our firewall, what kind of
ICMP packet is the above, and is there a way to allow incoming ICMP of just
this one type using an older Checkpoint?

--
Will



Re: Inbound Mail Server Connect and Reject by Firewall
I forgot to add that our mail host replies to these strange ICMP messages
with a [TCP Zerowindow] as seen in Wireshark.   The remote mail host then
replies again the ICMP Destination unreachable and eventually the whole
session is killed by the firewall as a SYN attack (which it isn't but the
SYN-ACK exchange isn't happening and the firewall cannot make much sense of
this traffic pattern).

Any help in understanding:

1) Why this traffic pattern happens

2) What is wrong on the remote sendmail host or its router to cause this
behavior?

--
Will


Quoted text here. Click to load it



Re: Inbound Mail Server Connect and Reject by Firewall
On Sat, 08 Dec 2007 00:27:21 -0800, Will wrote:

Quoted text here. Click to load it

The remote router allows packets out, but not in. A crude but effective
way to disallow traffic, but one with side effects. Why your mailserver
"responds" to those icmp unreachables is hard to say, but tcp should not
react to icmp unreachables. Are you sure those are not simply
retransmissions?

HTH,
M4

Re: Inbound Mail Server Connect and Reject by Firewall
Hello,

Martijn Lievaart a écrit :
Quoted text here. Click to load it

Or it doesn't like a TCP/IP option that your server uses, or the source
address may have been spoofed.

Re: Inbound Mail Server Connect and Reject by Firewall
In comp.security.firewalls Pascal Hambourg wrote:
Quoted text here. Click to load it

I'd suspect the latter. Maybe an idle-scan.

F'up2csf

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Site Timeline