[ previous ] [ next ] [ threads ]
 
 From:  "Joyce, Wesley K." <wjoyce at uvi dot edu>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] LDAP over TLS: blocked packets that shouldn't be blocked
 Date:  Tue, 26 Sep 2006 22:55:59 -0400
Disturbing indeed.  How do other firewalls handle the "duplicate or last packets of a session"
issue?

________________________________

From: Jeroen Visser [mailto:monowall at forty dash two dot nl]
Sent: Tue 9/26/2006 6:58 AM
To: Reto Buerki; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] LDAP over TLS: blocked packets that shouldn't be blocked



Reto,

See this in the manual page.
http://doc.m0n0.ch/handbook/faq-legit-traffic-dropped.html

I had a hard time accepting/believing this, but as for now, all drops I got did
not result in any network issues. So it must be true. ;-)

Do you have any issues or do the drops result in errors on the mailserver and or
in the communication ?

Regards,

Jeroen.

On Tue, 26 Sep 2006 10:49:00 +0200, Reto Buerki wrote
> Hi List
>
> I have a problem regarding a mailserver inside my DMZ (sis2). the
> mailserver retrieves the data for user auth over LDAP (secured with
> TLS). I created a rule to allow this specific kind of traffic:
>
> <rule>
>  <type>pass</type>
>  <interface>opt1</interface>
>  <protocol>tcp</protocol>
>  <source>
>   <address>192.168.X.X</address>
>  </source>
>  <destination>
>   <address>172.24.Y.Y</address>
>   <port>389</port>
>  </destination>
>  <log/>
>  <escr>Allow LDAP from mailx to pdc</descr>
> </rule>
>
> Every day I have entries in my log like these:
> 300:1 p sis2 1952 tcp packets from 192.168.X.X to 172.24.Y.Y port 389
> (ldap)
> 0:17 b sis2 78 tcp packets from 192.168.0.5 to 172.24.X.X port 389 (ldap)
>
> why are there some packets blocked? I explicitly allowed these kind of
> packets to pass....
> the detailled packets look like this:
> PASS:
> Sep 26 09:27:35 172.24.Y.Y ipmon[83]: 09:27:35.872910 sis2 @300:1 p
> 192.168.Y.Y,54979 -> 172.24.X.X,389 PR tcp len 20 60 -S K-S IN
> BLOCK:
> Sep 26 08:50:38 172.24.Y.Y ipmon[83]: 08:50:38.256087 sis2 @0:17 b
> 192.168.Y.Y,39282 -> 172.24.X.X,389 PR tcp len 20 52 -AR IN
>
> I just want to make sure this behavior is intended and normal before
> this server becomes our production server.
>
> Thanks for your help
>
> Regards
> Reto
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch