Search This Blog

Tuesday, August 30, 2005

firewall-wizards digest, Vol 1 #1654 - 3 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. RE: PIX denying SSH Access - until I run PDM? (Paul Melson)
2. RE: UPS Worldship connection problems with new firewall device (Chris Hunhoff)
3. Layer 2 firewalls ... (Andrew K. Adams)

--__--__--

Message: 1
From: "Paul Melson" <pmelson@gmail.com>
To: "'Paul Pershing'" <streamfile@gmail.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] PIX denying SSH Access - until I run PDM?
Date: Mon, 29 Aug 2005 08:41:46 -0400

I have a hunch that you may have an 'aaa authentication' rule that's causing
this problem. Would you be willing to post the output of 'show aaa' from a
PIX with this affliction? Of course, sanitize it to prevent any unnecessary
disclosures such as user names or public IP addresses.

PaulM

-----Original Message-----
Subject: [fw-wiz] PIX denying SSH Access - until I run PDM?

The symptom is that a few weeks will pass since I last logged onto the fw
using ssh; and I'll attempt to; but instead of being prompted for a
userid/password the client will simply sit there and stare at me while doing
nothing - no errors. If I'm using Kermit (usual) it'll just sit on the blank
black screen until it times out. Other clients produce similar behavior.

The odd part is that I discovered through trial and error that if access the
PIX via PDM after the failed SSH attempt - even if the PDM connection is not
completed - I can then attach via SSH.

This is such a bizarre problem that I've been reluctant to post it; but I've
encountered it so many times now that my curiousity has gotten the better of
me!

--__--__--

Message: 2
Subject: RE: [fw-wiz] UPS Worldship connection problems with new firewall device
Date: Mon, 29 Aug 2005 07:53:36 -0500
From: "Chris Hunhoff" <chunhoff@eastriver.coop>
To: <firewall-wizards@honor.icsalabs.com>

By default a Sonicwall allows all ports outbound so you shouldn't have
to create any outbound rules unless you specifically closed these ports
and UPS Worldship does not require any inbound ports that I know of.

You might want to try enabling fragmented packets on the allow-all rule.
This seems to be a fix- all for a lot of traffic problems with the
Sonicwall.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Servie
Platon
Sent: Sunday, August 28, 2005 1:52 PM
To: List Account; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] UPS Worldship connection problems with new
firewall device

Thank you Nathan, Paul, Bruce and Keith for giving
some of your insights on what to do.

Before posting to this prestigeous group. I called UPS
technical support and was told to allow ports 80 and
443 on the firewall. So, I created/added a rule named
UPS to do that which allows the network 153.2.x.x to
LAN to pass through on said ports.

I have also called technical support of SonicWall for
assistance and sent them the tsr (tech support report)
file which has the list of rules and other
configuration but so far they have not seen anything
wrong with it.

For this firewall appliance (TZ170), I have just
enabled Terminal Services to pass through and site to
site VPN and the rest are just the normal
configuration.

I must suspect there could be a rule here that
completely blocks connection. I shall send you guys
some info tomorrow when I get back to the office.

One thing I noticed, when I upgraded the SOHO3 to
TZ170. The Soho3 had another device linked to it and
it was a Linksys 4 port router which has port
forwarding enabled. I have not scrutinized the
configuration of this additional device per se, but
what I can say is that it has port forwarding enabled.

Thank you for your time.

Very sincerely yours,
Servie

--- List Account <list.account@cerdant.com> wrote:

> What version of SonicOS are you running? Standard or
> Enhanced?=20
> Are there any log messages generated in the
> SonicWALL when the user attempts
> to connect to the site?
> If you're running SonicOS Enhanced 3.1 or greater,
> have you done a packet
> capture and saved it to a libpcap file? Can you post
> this file if so.
>=20
> Nathan Grandbois, CISSP, CSSA
> Cerdant, Inc.
> 614.717.0123 ext. 26=20
>=20
> >-----Original Message-----
> >From: firewall-wizards-admin@honor.icsalabs.com=20
> >[mailto:firewall-wizards-admin@honor.icsalabs.com]
> On Behalf=20
> >Of Servie Platon
> >Sent: Wednesday, August 17, 2005 8:52 PM
> >To: firewall-wizards@honor.icsalabs.com
> >Subject: [fw-wiz] UPS Worldship connection problems
> with new=20
> >firewall device
> >
> >
> >
> >Hello FW-Wizards and gurus,
> >
> >I have upgraded my Sonicwall SOHO3 to TZ170 a
> couple
> >of weeks back for my small office network.
> >
> >Everything seems to be working fine except for one
> >laptop which accesses UPS (United Parcel Service)
> >Worldship network.
> >
> >As its description from the UPS website. UPS
> >WorldShipR is a full featured, WindowsR-based,
> >shipping software application for customers with
> high
> >volume shipping needs. WorldShip allows customers
> to=20
> >accelerate, streamline and enhance not only their
> shipping=20
> >processes, but financial and customer service
> processes as well.
> >
> >When we first installed the program in one of the
> >laptops, it seems to be working fine with the SOHO3
> >firewall.
> >
> >And when, we upgraded to the Sonicwall TZ170,
> that's
> >when the problem started to set in. We were told by
> >UPS technical support since we have upgraded a
> >firewall appliance, the firewall rules may have
> >blocked inbound and outbound communication between
> our
> >small office network and UPS's network.
> >
> >Furthermore, we were told that we need to enable
> >support for gethostip.exe, shipups.exe,
> upslnkmg.exe
> >alongside allowing access for 153.2.x.x network.
> >
> >Since I don't see any documentation on this
> Sonicwall
> >TZ170 to do the adding of .exe files to the
> firewall
> >that supports this method.
> >
> >I am uncertain though, whether my firewall rules
> have
> >something to do with it? AFAIK, other services such
> as
> >mail, terminal services are working fine except for
> >this one.
> >
> >One odd thing that puzzles me is that if my boss
> >brings this laptop to his house and connect it to
> his
> >Home network through his router, he could connect
> to
> >UPS and be able to do work and send info in a
> >bi-directional manner.
> >
> >Whereas, if he returns to the office he gets an
> Error
> >Code 53670 which according UPS has something to do
> >with our firewall and dns resolution.
> >
> >I have attempted and failed to enable this feature
> and
> >am hoping that maybe someone may have encountered
> this
> >problem in the past who may have the solution.
> >
> >Again, thank you very much.
> >
> >Very sincerely yours,
> >Servie
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam
> protection around=20
> >http://mail.yahoo.com=20
> >_______________________________________________
> >firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
>
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>=20
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
>
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>=20

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 3
Date: Mon, 29 Aug 2005 14:26:02 -0400
From: "Andrew K. Adams" <akadams@psc.edu>
To: firewall-wizards@honor.icsalabs.com
Cc: "Andrew K. Adams" <akadams@psc.edu>
Subject: [fw-wiz] Layer 2 firewalls ...

Is anyone aware of any *disadvantages* of layer 2 firewalls?

Current marketing seems to be pushing layer 2 firewalls mostly, as far as I
can tell, to reduce the possibility of the device being compromised (no ip
address.) And it seems to me, that any network using a media of Ethernet
could (and should?) be doing this, unless of course, they needed the device
to perform layer 3 or 4 utility (e.g., NAT), additionally.

I readily admit that I don't possess "link layer" expertise, and thus, I
suspect that I must be missing something further, if layer 2 firewalls are
indeed a trade-off.

Thanks!

-aka

--
Andrew K. Adams
Pittsburgh GigaPoP & Network Research Group
Pittsburgh Supercomputing Center Office: 306-A Mellon Institute
Carnegie Mellon University Phone: (412) 268-5142
4400 Fifth Ave. Fax: (412) 268-8200
Pittsburgh, PA 15213 WWW: http://www.psc.edu/~akadams/

D3 FA 7D 61 FD ED BD D9 0C DE 94 DB 0F 25 D0 2E

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments: