Discussion:
Cleanup rule drops valid connections!!
(too old to reply)
Billy
2003-10-17 17:12:31 UTC
Permalink
Hello

We've experienced some weird behavior on our firewall. There's a lot
of dropped packets due to the cleanup rule, the strange thing is that
those packets are not supposed to be dropped since they're part of an
email session (source port pop3 and smtp).

There is a rule ANY to MailServer pop3/smtp/imap ALLOW

I wouldn't need another rule to allow outgoing smtp/pop3 traffic from
the server.

Any hints to what's going on???

Tnaks in advance

Billy
Chris
2003-10-17 21:42:46 UTC
Permalink
Post by Billy
Hello
We've experienced some weird behavior on our firewall. There's a lot
of dropped packets due to the cleanup rule, the strange thing is that
those packets are not supposed to be dropped since they're part of an
email session (source port pop3 and smtp).
There is a rule ANY to MailServer pop3/smtp/imap ALLOW
I wouldn't need another rule to allow outgoing smtp/pop3 traffic from
the server.
Any hints to what's going on???
Tnaks in advance
Billy
You don't say what the source and destination of the dropped connections
are? If you want your server to be able to send mail you will also have to
allow outbound SMTP as well as inbound.

Your log viewer should be telling you exactly what is going on.

Chris.
Billy
2003-10-18 23:04:27 UTC
Permalink
Post by Chris
Post by Billy
Hello
We've experienced some weird behavior on our firewall. There's a lot
of dropped packets due to the cleanup rule, the strange thing is that
those packets are not supposed to be dropped since they're part of an
email session (source port pop3 and smtp).
There is a rule ANY to MailServer pop3/smtp/imap ALLOW
I wouldn't need another rule to allow outgoing smtp/pop3 traffic from
the server.
Any hints to what's going on???
Tnaks in advance
Billy
You don't say what the source and destination of the dropped connections
are? If you want your server to be able to send mail you will also have to
allow outbound SMTP as well as inbound.
Your log viewer should be telling you exactly what is going on.
Chris.
Thanksfor replying Chris

We do have both rules, one for allowing incoming mail and one for
outgoing. The source port for the dropped packets is smtp and pop3
(the destination port is a random port opened by the client), that
means that the connection has already been stablished (for instance a
user downloading mail via pop3), but it gets dropped on the cleanup
rule and there's no reason given.

Another thing is that we notice lots of drops for packets going into
the mail server with reason: "SYN packet for established connection",
which I assume to be a consecuence of the packets getting dropped
while coming out of the server. BTW it's not all packets coming out of
smtp and pop3 ports that get dropped just some, but enough to cause
problems for email users.

Thanks

Billy
Billy
2003-10-20 17:07:13 UTC
Permalink
Post by Billy
Thanksfor replying Chris
We do have both rules, one for allowing incoming mail and one for
outgoing. The source port for the dropped packets is smtp and pop3
(the destination port is a random port opened by the client), that
means that the connection has already been stablished (for instance a
user downloading mail via pop3), but it gets dropped on the cleanup
rule and there's no reason given.
Another thing is that we notice lots of drops for packets going into
the mail server with reason: "SYN packet for established connection",
which I assume to be a consecuence of the packets getting dropped
while coming out of the server. BTW it's not all packets coming out of
smtp and pop3 ports that get dropped just some, but enough to cause
problems for email users.
Thanks
Billy
This is the exact log message:

Number: 134054
Date: XXOct2003
Time: 11:58:28
Product: VPN-1 & FireWall-1
Interface: eth-sXpXcX
Origin: Firewall
Type: Log
Action: Drop
Service: 58508
Source: mailserver
Destination: XX.XX.XX.XX (Client side IP address)
Protocol: tcp
Rule: XXX (CLEANUP RULE)
Source Port: pop-3
Chris
2003-10-20 18:57:08 UTC
Permalink
Post by Billy
Thanksfor replying Chris
We do have both rules, one for allowing incoming mail and one for
outgoing. The source port for the dropped packets is smtp and pop3
(the destination port is a random port opened by the client), that
means that the connection has already been stablished (for instance a
user downloading mail via pop3), but it gets dropped on the cleanup
rule and there's no reason given.
Another thing is that we notice lots of drops for packets going into
the mail server with reason: "SYN packet for established connection",
which I assume to be a consecuence of the packets getting dropped
while coming out of the server. BTW it's not all packets coming out of
smtp and pop3 ports that get dropped just some, but enough to cause
problems for email users.
Thanks
Billy
Number: 134054
Date: XXOct2003
Time: 11:58:28
Product: VPN-1 & FireWall-1
Interface: eth-sXpXcX
Origin: Firewall
Type: Log
Action: Drop
Service: 58508
Source: mailserver
Destination: XX.XX.XX.XX (Client side IP address)
Protocol: tcp
Rule: XXX (CLEANUP RULE)
Source Port: pop-3
If you scroll further along the log viewer, is there any other information
at the end, like TCP out of state packets for example?

Chris.
Billy
2003-10-20 21:56:24 UTC
Permalink
Post by Chris
Post by Billy
Thanksfor replying Chris
We do have both rules, one for allowing incoming mail and one for
outgoing. The source port for the dropped packets is smtp and pop3
(the destination port is a random port opened by the client), that
means that the connection has already been stablished (for instance a
user downloading mail via pop3), but it gets dropped on the cleanup
rule and there's no reason given.
Another thing is that we notice lots of drops for packets going into
the mail server with reason: "SYN packet for established connection",
which I assume to be a consecuence of the packets getting dropped
while coming out of the server. BTW it's not all packets coming out of
smtp and pop3 ports that get dropped just some, but enough to cause
problems for email users.
Thanks
Billy
Number: 134054
Date: XXOct2003
Time: 11:58:28
Product: VPN-1 & FireWall-1
Interface: eth-sXpXcX
Origin: Firewall
Type: Log
Action: Drop
Service: 58508
Source: mailserver
Destination: XX.XX.XX.XX (Client side IP address)
Protocol: tcp
Rule: XXX (CLEANUP RULE)
Source Port: pop-3
If you scroll further along the log viewer, is there any other information
at the end, like TCP out of state packets for example?
Chris.
No other information is given which makes it even more frustrating to debug
Continue reading on narkive:
Loading...