RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/23/04

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Cisco PIX query"
    To: "Karl D. Mueller" <karlm@acshelp.com>, "Bob Alberti" <alberti@sanction.net>
    Date: Mon, 23 Feb 2004 07:53:39 -0500
    
    

    Karl D. Mueller wrote:
    >My suggestion is to remove the SMTP proxy alltogether from the
    >watchguard, and just setup a port forward (1-to-1 NAT in
    >watchguard-speak) directly to your server.

    It's possible - just possible - given the message, that the
    firewall is detecting some kind of out-of-bounds condition
    in the mail message. Back when I was writing proxy firewalls
    (in 1066, we used flint to write our proxies...) I had all kinds
    of checks for things like a user-name that was longer than
    512 bytes, for example. It turned out to be a useful filter for
    X.400 addresses, and I like to fantasize that I helped
    contribute to the timely demise of that particular bad idea.
    BUT - it is possible that your firewall is detecting an
    attack of some sort - perhaps something tunnelling data
    or who knows what on a header line - and by suggesting
    you "turn the proxy off" you're making the classic decision
    in favor of:
    "Functionality at any cost - EVEN when I don't understand it."
    I wouldn't recommend to anyone to turn a proxy off without
    finding out why it's erroring. That's what they're there for,
    after all. Security attacks are just a special case of error.

    Put differently, if you want all those pesky errors to go away,
    take the firewall out and replace it with one of those newfangled
    $14.95 "secure hubs"

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Cisco PIX query"