Firewalls, mail, and port 56341

is your firewall dropping packets or rejecting?

i believe an ident packet will be sent to the mail client on a connection attempt. try changing the policy to "reject" denied packets or allow ident (tcp port 113).

I don't see anything odd in the logs. I'll turn the logging on and see.

I allowed ident, same issue.

Looking in Kerio's log, the only thing I see is a outbound TCP port

Evan

Oh, and your logging function doesn't show you an inbound connection attempt at IdentD/Auth (TCP/113)? Where's your firewall rule to either allow or at least reject (with TCP-RST) such connections?

Eh... uninstallation Kerio? This piece of bitjunk will always break your network.

YOU as the firewall administrator should have an idea. If not: uninstall your packet filter until you got some serious knowledge about TCP/IP. Without it, you won't achieve any security.

Nope.

Well, I added a rule to allow all inbound and outbound connections on the entire netblock the mail server is on.

Did I mention that if I switch to a mail server (running port 25) on an entirely different network, it works fine, no delay?

Any recommendations for a good free firewall?

Well I would if I knew why there's a delay.

I obviously don't know as much about TCP/IP as you oh great one. As I mentioned, same results running the standard windows firewall.

As this is unexpected, did you utilize a packet sniffer to verify these results? Can you install such one at or near the SMTP server?

And where exactly? Before or after the typical TCP state check rule?

Hm... could this be a ingress filter rule?

s/firewall/host-based packet filter/

casual: Windows Firewall is fine advanced: Win-IPFW

Windows firewall blocks local listen()s by default. Did you create an exception rule?

I installed etherreal on my desktop, I'll go through those logs..

Not sure with Kerio. You just add it.

Well, it looks like initially going through the logs that a lot of traffic goes out on one port, in on another (duh).. If I open up in and out port 120 - 3000, it works. Put it to 100 - 3000, it doesn't. So I've narrowed it down to something between port 100 and 120, now to find the higher end, but that gives me initially something to go on.

Well again, Windows Firewall, with ALL the exceptions allowed, gives me the same problem. And ipfw looks nice, but I like the application blocking ability . Way too many pieces of software phone home.

I've got to figure out what to allow. Seems even giving Thunderbird.exe full access didn't work.

See? It's a useless piece of software. Hiding such important things ain't no good.

It's exactly port 113/TCP (auth/ident).

Well, but it doesn't work. Actually one should dislike it, because it only adds unnecessary complexity.

Just name me one!

Well it might be somewhere in the help file. :-D

I see traffic source port 1273, dst port 113, then source 113, destination 1273.

And I just solved it, thank you... :-D

I had to allow IGMP, and open up port 113 source, any incoming port.

Well what I meant was any software you download now days phones home. No thank you, I like a little control over what program phones home. :-D

Eh, huh?

incoming: someone:somewhere -> you:113/tcp outgoing: you:113/tcp -> someone:somewhere you:icmp(3) -> someone:somewhere

And I meant: this is bullshit.

If some software actually wants to phone home, it will either shut down, ignore or circumvent your packet filter. If it doesn't want to do so, then it can be easily configured to not make any connection attempts.

The latter one is usually falsely named "phone home", I'd rather call it stupidity. In any case, it is superfluos.

Hallo Sebastian Gottschalk, Du teiltest mit:

The old Kerio 2.1.5 has had some paket filtering *AND* logging capabilities. I used it within WinNT (4.0). It was possible to priorize filtering rules, but the only DENY rule was "drop" and no "reject". At the kerio web page, I found in the version history, that they added some functionality to reject (and not to drop) incoming requests at the ident port (113).

Wolfgang