[Sidewinder] SYN/ACK issue

Sidewinder moderated discussion list sidewinder at adeptech.com
Tue Jul 29 07:23:43 EDT 2008 

Have you checked your audit logs to see that there isn't perhaps another port required?  I usually start my audit log searching as narrow as possible (since there can be an overwhelming amount of data there), and if that doesn't find anything to help, broaden the search.  I would search for the IP address of the IRC server, both as a source and as a destination (or use "or" in a command line search with acat).

If that doesn't help, then your next bet is probably to run packet captures on both sides of the firewall with tcpdump.  You can run "man tcpdump" for more information, but here's an example of how I do it:

tcpdump -npi em0 -Xs 1600 -w irc.ext.cap host 1.1.1.1

   [assuming the IRC server is 1.1.1.1, or this could be the IP address of a test client]

I would do another simultaneous capture for the internal NIC:

tcpdump -npi em1 -Xs 1600 -w irc.int.cap host 1.1.1.1

For easier investigation, I copy these .cap files off of the firewall to my PC (usually using our FTP server) and view them in Wireshark.

There has to be something different between those two rules you mention.  If the only difference really is that the second one allows all ports (and they're both uni-directional), then it would seem that the IRC server is trying to use another port.

--------------------
Matt Harrell


________________________________
From: sidewinder-bounces at adeptech.com [sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder moderated discussion list [sidewinder at adeptech.com]
Sent: Monday, July 28, 2008 4:05 AM
To: sidewinder at adeptech.com
Subject: [Sidewinder] SYN/ACK issue

All,

            We are in the process of implementing a G2 firewall and trying
to figure out Proxy/IP Filter rule sets.  We have most of it complete but
are having an issue with one of the rules.  We are trying to create an IP
Filter rule that allows access from the internal burb to the external burb
on tcp port 6667.  This would seem to be a straight forward rule with no
complication.  However, when we implement this rule the logs explode with
entries saying "Expected SYN, Got ACK" - Once this rule is implemented
everyone is dumped off the IRC server even though there is another IP filter
rule that we placed below that one which allows for all TCP ports.  I've
tried researching this over the net and can't find anything.  I would open
up a case but figured I'd post here first to see if anyone may have
experienced this before in the past or is a relative easy fix that maybe
I've overlooked.



Thanks,





Wayne





_______________________________________________
Sidewinder mailing list
Sidewinder at adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder

More information about the Sidewinder mailing list