[ previous ] [ next ] [ threads ]
 
 From:  Reto Buerki <buerki at swiss dash it dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  LDAP over TLS: blocked packets that shouldn't be blocked
 Date:  Tue, 26 Sep 2006 10:49:00 +0200
Hi List

I have a problem regarding a mailserver inside my DMZ (sis2). the
mailserver retrieves the data for user auth over LDAP (secured with
TLS). I created a rule to allow this specific kind of traffic:

<rule>
 <type>pass</type>
 <interface>opt1</interface>
 <protocol>tcp</protocol>
 <source>
  <address>192.168.X.X</address>
 </source>
 <destination>
  <address>172.24.Y.Y</address>
  <port>389</port>
 </destination>
 <log/>
 <escr>Allow LDAP from mailx to pdc</descr>
</rule>

Every day I have entries in my log like these:
300:1 p sis2 1952 tcp packets from 192.168.X.X to 172.24.Y.Y port 389 (ldap)
0:17 b sis2 78 tcp packets from 192.168.0.5 to 172.24.X.X port 389 (ldap)

why are there some packets blocked? I explicitly allowed these kind of
packets to pass....
the detailled packets look like this:
PASS:
Sep 26 09:27:35 172.24.Y.Y ipmon[83]: 09:27:35.872910 sis2 @300:1 p
192.168.Y.Y,54979 -> 172.24.X.X,389 PR tcp len 20 60 -S K-S IN
BLOCK:
Sep 26 08:50:38 172.24.Y.Y ipmon[83]: 08:50:38.256087 sis2 @0:17 b
192.168.Y.Y,39282 -> 172.24.X.X,389 PR tcp len 20 52 -AR IN

I just want to make sure this behavior is intended and normal before
this server becomes our production server.

Thanks for your help

Regards
Reto