RE: [fw-wiz] UPS Worldship connection problems with new firewall device

From: Bruce Smith (bruce_the_loon_at_tiscali.co.za)
Date: 08/26/05

  • Next message: Paul Melson: "RE: [fw-wiz] UPS Worldship connection problems with new firewall device"
    To: "'Servie Platon'" <servie_tech@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 26 Aug 2005 19:56:49 +0200
    
    

    Hi Servie

    I don't have any experience with the specific firewalls mentioned, so I will
    limit my discussion to general comments.

    First about the .exe requirements mentioned by UPS. The techie who suggested
    this probably thinks you have a personal firewall like ZoneAlarm on the
    machine and not a network gateway device. Those firewalls allow access based
    on which executable app is requesting the connection in addition to the
    normal rulesets. Since the software works when the user took the computer
    home, there is definitely no personal firewall problem.

    The rest of my suggestions are general to most firewalls.

    It sounds like the SOHO3 was running a generic permit all traffic from
    inside to outside while the TZ170 probably has a deny-all allow specific
    ruleset from inside to outside. A lot of the discussion on this list has
    been about the differences and which is preferable.

    Since UPS doesn't appear to be very helpful, the only way to find out what
    needs to be opened up is to look at the logs to see what is being denied by
    what rule when the software attempts to connect to the UPS network. Try it a
    number of times to see if it uses the same destination ports or wanders up
    and down a range of ports.

    Hopefully someone else on the list has had experience with the application
    and knows that needs to be opened, but if not, then this methodology should
    assist in finding out what is needed besides the simple yet insecure method
    of adding a rule to allow the laptop to connect to any port through the
    firewall.

    Regards

    Bruce Smith

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Servie
    Platon
    Sent: Thursday, August 18, 2005 2:52 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] UPS Worldship connection problems with new firewall device

    Hello FW-Wizards and gurus,

    I have upgraded my Sonicwall SOHO3 to TZ170 a couple
    of weeks back for my small office network.

    Everything seems to be working fine except for one
    laptop which accesses UPS (United Parcel Service)
    Worldship network.

    As its description from the UPS website. UPS
    WorldShipR is a full featured, WindowsR-based,
    shipping software application for customers with high
    volume shipping needs. WorldShip allows customers to
    accelerate, streamline and enhance not only their
    shipping processes, but financial and customer service
    processes as well.

    When we first installed the program in one of the
    laptops, it seems to be working fine with the SOHO3
    firewall.

    And when, we upgraded to the Sonicwall TZ170, that's
    when the problem started to set in. We were told by
    UPS technical support since we have upgraded a
    firewall appliance, the firewall rules may have
    blocked inbound and outbound communication between our
    small office network and UPS's network.

    Furthermore, we were told that we need to enable
    support for gethostip.exe, shipups.exe, upslnkmg.exe
    alongside allowing access for 153.2.x.x network.

    Since I don't see any documentation on this Sonicwall
    TZ170 to do the adding of .exe files to the firewall
    that supports this method.

    I am uncertain though, whether my firewall rules have
    something to do with it? AFAIK, other services such as
    mail, terminal services are working fine except for
    this one.

    One odd thing that puzzles me is that if my boss
    brings this laptop to his house and connect it to his
    Home network through his router, he could connect to
    UPS and be able to do work and send info in a
    bi-directional manner.

    Whereas, if he returns to the office he gets an Error
    Code 53670 which according UPS has something to do
    with our firewall and dns resolution.

    I have attempted and failed to enable this feature and
    am hoping that maybe someone may have encountered this
    problem in the past who may have the solution.

    Again, thank you very much.

    Very sincerely yours,
    Servie

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Melson: "RE: [fw-wiz] UPS Worldship connection problems with new firewall device"

    Relevant Pages

    • Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?
      ... >The whole reason NAT was implemented was because of a very finite number of publicly routable IP addresses. ... The first firewalls I built offered NAT (inherent in the design and then later via ... "Proxy transparency" in Gauntlet) because a lot of the early firewall customers ... re-address their network or NAT ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
      (Firewall-Wizards)
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
      (Firewall-Wizards)
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
      (Security-Basics)
    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... but today's firewalls let too much stuff back ... > why people feel they need to compromise. ... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...
      (Firewall-Wizards)