Firewalls: Re: Firewalls replying with ICMP packets.

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls replying with ICMP packets.
From:	Bob Beck <beck @ cs . ualberta . ca>
Date:	Wed, 1 Mar 1995 16:06:13 -0700 (MST)
To:	nsayer @ quack . kfu . com (Nick Sayer)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<gt5FfBD @ quack . kfu . com> from "Nick Sayer" at Mar 1, 95 10:15:59 pm

> Consider the case where sendmail does an RFC-931 query before presenting
> it's 200 banner on port 25 connections. If a firewall on the sender just
> eats the port 113 connect attempts, then the sender will probably
> timeout waiting for the welcome mat. What makes this worse is that many
> sendmails, having gotten a connection, then having it time out waiting
> for a welcome, will NOT go back and try secondary MX hosts, so the mail
> will be forever undeliverable.
> 
> If instead the firewall bounced a host unreachable back, then the IDENT
> query fails much more quickly and the sendmail can then put out the
> welcome mat in time and the SMTP transaction continues normally.
> 

	Then in this case, rather than having the firewall bounce a
host unreachable, wouldn't it be just as easy to allow the port 113
ident connection? At least for any machine behind the firewall that is
likely to be sending mail on to the outside. 
	
	Unless of course, you're able to set it up so that for certain
destination ports you'll send an ICMP reply when you drop it, and
others you won't.

	-Bob

References:

Re: Firewalls replying with ICMP packets.
From: nsayer @ quack . kfu . com (Nick Sayer)

Indexed By Date	Previous:	Re: packet filtering vs application based firewalls From: Jim Thompson <jim @ Tadpole . COM>
Indexed By Date	Next:	Re: Cisco From: pat @ loc201 . tandem . com
Indexed By Thread	Previous:	Re: Firewalls replying with ICMP packets. From: nsayer @ quack . kfu . com (Nick Sayer)
Indexed By Thread	Next:	Re: Firewalls replying with ICMP packets. From: Brent @ GreatCircle . COM (Brent Chapman)