Re: SPF+BEFSR41+MailWasher

From: Brian (flackb_at_hotmail.com)
Date: 03/10/05 

Date: Thu, 10 Mar 2005 16:45:02 +0100

"Renegade" <inv@lid.net> wrote in message
news:IkXXd.162979$JF2.140718@tornado.tampabay.rr.com...
> On Thu, 10 Mar 2005 13:34:48 +0100, Brian wrote:
>
>>
>> "Duane Arnold" <notme@notme.com> wrote in message
>> news:Xns9614B62D63E5Enotmenotmecom@204.127.204.17...
>>> "Brian" <flackb@hotmail.com> wrote in
>>> news:422f7199$0$14965$ba620e4c@news.skynet.be:
>>>
>>>>
>>>> "Renegade" <inv@lid.net> wrote in message
>>>> news:CQGXd.110247$pc5.47385@tornado.tampabay.rr.com...
>>>>> On Wed, 09 Mar 2005 14:31:32 +0100, Brian wrote:
>>>>>
>>>>>> I have a problem with MailWasher saying, "Skipped automatic mail
>>>>>> check because the was no Internet connection" when, in fact, the
>>>>>> ADSL connection
>>>>>> has not been interrupted.
>>>>>> This has been happening since I installed the Linksys switch and it
>>>>>> shows up
>>>>>> in the Sygate log as a blocked UDP response from the IP address of
>>>>>> the switch.
>>>>>> I can only assume that MailWasher is expecting a response from the
>>>>>> mail server which is being blocked by SPF.
>>>>>> Apart from allowing all UDP polls to pass through the firewall can
>>>>>> anyone suggest a rule that would get over this problem?
>>>>>>
>>>>>> Brian
>>>>>
>>>>> All you have to do is allow the UDP from the router to pass for the
>>>>> apps in question. Some apps are written to expect the connection
>>>>> first. If the packets that they are waiting for are being blocked,
>>>>> the apps think that there is no connection.
>>>>
>>>> Thanks for the suggestion buy it looks like MailWasher is not waiting
>>>> for the UDP poll because making an SPF rule to allow incoming UDPs for
>>>> Mail Washer does not cure the problem. In fact, the log still shows
>>>> incoming UDP as blocked. I guess it is reasonably safe to allow all
>>>> incoming UDP as I am behind the Linksys switch so I will try that for
>>>> a while.
>>>>
>>>> Brian
>>>>
>>>>
>>>>
>>>
>>> Yeah, I don't know what your problem is with Mailwasher. Sygate should
>>> be
>>> set to trust the device IP of the router and should not be blocking it.
>>> Since Mailwasher is making the requests for solicited traffic from
>>> behind
>>> the router and the PFW solution, then they both should allow inbound
>>> traffic to Mailwasher. I doubt that the router is causing the blockage
>>> and you may want to drop Sygate and see what happens, since the machine
>>> is protected by the router. I use Mailwasher and have not had any
>>> problems due to the router.
>>>
>> Mmm, I'm not convinced by that argument. UDP is a popular means of
>> transporting malicious code so allowing all UDP polls, even behind a NAT
>> router seems risky. I would prefer to have belt and braces as far as
>> possible. A crafty hacker can always penetrate NAT.
>> It seems that it is not MailWasher itself that is waitying for the UDP
>> response but allowing all incoming UDP signals certainly cures the
>> problem
>> with MailWasher thinking the Internet connection has been lost.
>> Presumably
>> there is some other link that causes this to happen - but what? I'm still
>> puzzled.
>>
>> Brian
>
> Could it be that the router itself is using UDP packets and they are not
> coming from outside? I have inbound UDP and TCP blocked on my setup, and
> everything works fine here. Maybe the BEFSR41 is sending "keep-alive"
> packets with UDP?
>
Seems to me that the UDP flash is a response from my mail server that is
readdressed by the router. Because it is blocked by SPF, MW thinks the
connection is broken so gives up checking. As the response appears to come
from the router, I can't see how else to define a firewall rule other than
allowing all incoming UDP polls, which I think is unsafe.
I have now asked my ISP to check if the response is indeed coming from their
server.

Relevant Pages

  • Re: ICMP pokes holes in firewalls...
    ... > These are UDP services that open the firewall for inbound traffic. ... back the client port. ... for a period of time after the initial response. ... Once a nice target has been identified and their NAT gateway has been ...
    (Bugtraq)
  • Re: Success With Windows98 BUT
    ... as a response to outging traffic. ... That's not the case if UDP is used. ... How would a router know which LAN address to send incoming traffic to? ...
    (uk.telecom.broadband)
  • UDP responses and routers
    ... I think I read somewhere that when a UDP request leaves the router (from lan ... on a remote server how does the router match response to original request. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Strange UDP Socket problem
    ... You can catch that exception and move on. ... never get any udp reply back to post an exception. ... >> I suspect you would get the same response if you used one thread to send ... >> thread on same socket. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: site to site VPN CISCO PIX
    ... doggedpuppy's response is incorrect. ... images of each other in order for response packets ... and then do NOT permit anything from the 501 LAN to the 515 LAN ... Note that if you did configure this way, then some UDP would fail between the ...
    (comp.dcom.sys.cisco)
Quantcast