RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000
From: Marcus J. Ranum (mjr_at_ranum.com)
To: "Karl D. Mueller" <firstname.lastname@example.org>, "Bob Alberti" <email@example.com> Date: Mon, 23 Feb 2004 07:53:39 -0500
Karl D. Mueller wrote:
>My suggestion is to remove the SMTP proxy alltogether from the
>watchguard, and just setup a port forward (1-to-1 NAT in
>watchguard-speak) directly to your server.
It's possible - just possible - given the message, that the
firewall is detecting some kind of out-of-bounds condition
in the mail message. Back when I was writing proxy firewalls
(in 1066, we used flint to write our proxies...) I had all kinds
of checks for things like a user-name that was longer than
512 bytes, for example. It turned out to be a useful filter for
X.400 addresses, and I like to fantasize that I helped
contribute to the timely demise of that particular bad idea.
BUT - it is possible that your firewall is detecting an
attack of some sort - perhaps something tunnelling data
or who knows what on a header line - and by suggesting
you "turn the proxy off" you're making the classic decision
in favor of:
"Functionality at any cost - EVEN when I don't understand it."
I wouldn't recommend to anyone to turn a proxy off without
finding out why it's erroring. That's what they're there for,
after all. Security attacks are just a special case of error.
Put differently, if you want all those pesky errors to go away,
take the firewall out and replace it with one of those newfangled
$14.95 "secure hubs"
firewall-wizards mailing list