1. Home
  2. Networking Firewalls
  3. Inbound Mail Server Connect and Reject by Firewall

Inbound Mail Server Connect and Reject by Firewall

A remote mail server connects to our mail server and sends a TCP SYN. Our mail server replies with SYN-ACK, but this is immediately responded to by the foreign server with an ICMP packet that Wireshark shows as "ICMP Destination unreachable (host administratively prohibited)".

Why would the remote server respond to our SYN-ACK with an ICMP? Is this some kind of optimization they have done because of their volume of traffic? I don't understand how TCP would work at all if they don't allow a SYN-ACK.

In terms of what I need to allow to pass through our firewall, what kind of ICMP packet is the above, and is there a way to allow incoming ICMP of just this one type using an older Checkpoint?

Reply to
Will
Loading thread data ...

I forgot to add that our mail host replies to these strange ICMP messages with a [TCP Zerowindow] as seen in Wireshark. The remote mail host then replies again the ICMP Destination unreachable and eventually the whole session is killed by the firewall as a SYN attack (which it isn't but the SYN-ACK exchange isn't happening and the firewall cannot make much sense of this traffic pattern).

Any help in understanding:

1) Why this traffic pattern happens

2) What is wrong on the remote sendmail host or its router to cause this behavior?

Reply to
Will

The remote router allows packets out, but not in. A crude but effective way to disallow traffic, but one with side effects. Why your mailserver "responds" to those icmp unreachables is hard to say, but tcp should not react to icmp unreachables. Are you sure those are not simply retransmissions?

HTH, M4

Reply to
Martijn Lievaart

Hello,

Martijn Lievaart a écrit :

Or it doesn't like a TCP/IP option that your server uses, or the source address may have been spoofed.

Reply to
Pascal Hambourg

I'd suspect the latter. Maybe an idle-scan.

F'up2csf

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.