RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000

• Previous message: Patrick M. Hausen: "Re: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
• In reply to: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
• Next in thread: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Karl D. Mueller" <karlm@acshelp.com>, "Bob Alberti" <alberti@sanction.net>
Date: Mon, 23 Feb 2004 07:53:39 -0500

Karl D. Mueller wrote:
>My suggestion is to remove the SMTP proxy alltogether from the
>watchguard, and just setup a port forward (1-to-1 NAT in
>watchguard-speak) directly to your server.

It's possible - just possible - given the message, that the
firewall is detecting some kind of out-of-bounds condition
in the mail message. Back when I was writing proxy firewalls
(in 1066, we used flint to write our proxies...) I had all kinds
of checks for things like a user-name that was longer than
512 bytes, for example. It turned out to be a useful filter for
X.400 addresses, and I like to fantasize that I helped
contribute to the timely demise of that particular bad idea.
BUT - it is possible that your firewall is detecting an
attack of some sort - perhaps something tunnelling data
or who knows what on a header line - and by suggesting
you "turn the proxy off" you're making the classic decision
in favor of:
"Functionality at any cost - EVEN when I don't understand it."
I wouldn't recommend to anyone to turn a proxy off without
finding out why it's erroring. That's what they're there for,
after all. Security attacks are just a special case of error.

Put differently, if you want all those pesky errors to go away,
take the firewall out and replace it with one of those newfangled
$14.95 "secure hubs"

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Patrick M. Hausen: "Re: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
• In reply to: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
• Next in thread: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] dirty packet tricks? ... solve via promiscuously sucking up packets. ... restriction that your 'sideways' proxy box is it will have to be on a hub ... The firewall will have to suppress all ICMP errors to the internal network ... (Firewall-Wizards) Re: [fw-wiz] httport 3snf ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ... (Firewall-Wizards) Re: Kids bypassing firewall via web proxy sites ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ... (comp.security.firewalls) Re: NAT is not a mechanism for securing a network.. but.. HELP! ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ... (comp.security.firewalls) Re: Tool to find hidden web proxy server ... No reason the proxy has to be INSIDE your firewall. ... Cell Phones to just bypass your firewall completely. ... On Thu, 2 Sep 2004, vinay mangal wrote: ... policy for Internet access says it is through IP ... (Pen-Test)