Firewall Wizards mailing list archives
RE: Allowing relay through Watchguard Firebox 1000
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 23 Feb 2004 07:53:39 -0500
Karl D. Mueller wrote:
My suggestion is to remove the SMTP proxy alltogether from the watchguard, and just setup a port forward (1-to-1 NAT in watchguard-speak) directly to your server.
It's possible - just possible - given the message, that the firewall is detecting some kind of out-of-bounds condition in the mail message. Back when I was writing proxy firewalls (in 1066, we used flint to write our proxies...) I had all kinds of checks for things like a user-name that was longer than 512 bytes, for example. It turned out to be a useful filter for X.400 addresses, and I like to fantasize that I helped contribute to the timely demise of that particular bad idea. BUT - it is possible that your firewall is detecting an attack of some sort - perhaps something tunnelling data or who knows what on a header line - and by suggesting you "turn the proxy off" you're making the classic decision in favor of: "Functionality at any cost - EVEN when I don't understand it." I wouldn't recommend to anyone to turn a proxy off without finding out why it's erroring. That's what they're there for, after all. Security attacks are just a special case of error. Put differently, if you want all those pesky errors to go away, take the firewall out and replace it with one of those newfangled $14.95 "secure hubs" mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Allowing relay through Watchguard Firebox 1000 Bob Alberti (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Frederick M Avolio (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Paul Robertson (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Patrick M. Hausen (Feb 23)
- <Possible follow-ups>
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Frederick M Avolio (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Marcus J. Ranum (Feb 23)
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 26)