RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/23/04

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Cisco PIX query"
    To: "Karl D. Mueller" <karlm@acshelp.com>, "Bob Alberti" <alberti@sanction.net>
    Date: Mon, 23 Feb 2004 07:53:39 -0500
    
    

    Karl D. Mueller wrote:
    >My suggestion is to remove the SMTP proxy alltogether from the
    >watchguard, and just setup a port forward (1-to-1 NAT in
    >watchguard-speak) directly to your server.

    It's possible - just possible - given the message, that the
    firewall is detecting some kind of out-of-bounds condition
    in the mail message. Back when I was writing proxy firewalls
    (in 1066, we used flint to write our proxies...) I had all kinds
    of checks for things like a user-name that was longer than
    512 bytes, for example. It turned out to be a useful filter for
    X.400 addresses, and I like to fantasize that I helped
    contribute to the timely demise of that particular bad idea.
    BUT - it is possible that your firewall is detecting an
    attack of some sort - perhaps something tunnelling data
    or who knows what on a header line - and by suggesting
    you "turn the proxy off" you're making the classic decision
    in favor of:
    "Functionality at any cost - EVEN when I don't understand it."
    I wouldn't recommend to anyone to turn a proxy off without
    finding out why it's erroring. That's what they're there for,
    after all. Security attacks are just a special case of error.

    Put differently, if you want all those pesky errors to go away,
    take the firewall out and replace it with one of those newfangled
    $14.95 "secure hubs"

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Cisco PIX query"

    Relevant Pages

    • Re: [fw-wiz] dirty packet tricks?
      ... solve via promiscuously sucking up packets. ... restriction that your 'sideways' proxy box is it will have to be on a hub ... The firewall will have to suppress all ICMP errors to the internal network ...
      (Firewall-Wizards)
    • Re: [fw-wiz] httport 3snf
      ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ...
      (Firewall-Wizards)
    • Re: Kids bypassing firewall via web proxy sites
      ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ...
      (comp.security.firewalls)
    • Re: Tool to find hidden web proxy server
      ... No reason the proxy has to be INSIDE your firewall. ... Cell Phones to just bypass your firewall completely. ... On Thu, 2 Sep 2004, vinay mangal wrote: ... policy for Internet access says it is through IP ...
      (Pen-Test)
    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ...
      (comp.security.firewalls)