[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Forewall problem? Unable to contact some hosts
Looks like some hosts are not being able to contact us back when stablishing a TCP connection. Here is what i found using tcpdump (mail server, firewall): With www.yahoo.com, port 80: [root@lnxsrv0006 root]# tcpdump -i eth0 -n -p host www.yahoo.com tcpdump: listening on eth0 12:29:24.044723 192.168.0.19.55224 > 64.58.76.223.http: S 33338910:33338910(0) win 5840 <mss 1460,sackOK,timestamp 156243036 0,nop,wscale 0> (DF) [tos 0x10] 12:29:24.054724 64.58.76.223.http > 192.168.0.19.55224: S:(0) ack 33338911 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp43036> 12:29:24.054724 192.168.0.19.55224 > 64.58.76.223.http: . ack 1 win 5840 <nop,nop,timestamp24949> (DF) [tos 0x10] 12:29:26.404952 192.168.0.19.55224 > 64.58.76.223.http: P 1:9(8) ack 1 win 5840 <nop,nop,timestamp24949> (DF) [tos 0x10] 12:29:26.414953 64.58.76.223.http > 192.168.0.19.55224: F 903:903(0) ack 9 win 33304 <nop,nop,timestamp43272> (DF) 12:29:26.414953 192.168.0.19.55224 > 64.58.76.223.http: . ack 1 win 5840 <nop,nop,timestamp24949> (DF) [tos 0x10] 12:29:26.414953 64.58.76.223.http > 192.168.0.19.55224: P 1:903(902) ack 9 win 33304 <nop,nop,timestamp43272> (DF) 12:29:26.414953 192.168.0.19.55224 > 64.58.76.223.http: . ack 904 win 7216 <nop,nop,timestamp25185> (DF) [tos 0x10] 12:29:26.424954 192.168.0.19.55224 > 64.58.76.223.http: F 9:9(0) ack 904 win 7216 <nop,nop,timestamp25185> (DF) [tos 0x10] 12:29:26.434955 64.58.76.223.http > 192.168.0.19.55224: . ack 10 win 33304 <nop,nop,timestamp43274> (DF) [root@lnxsrv0006 mqueue]# telnet www.yahoo.com 80 Trying 64.58.76.223... Connected to www.yahoo.com. Escape character is '^]'. asdasd <html><head><title>Yahoo! - 501 Method Not Implemented</title></head><body><center><table width="94%" cellpadding=4 cellspacing=0><tr><td width="1%"><a href=http://www.yahoo.com><img src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif alt="Yahoo!" width=147 height=31 border=0></a></td><td align=right nowrap valign=bottom><font face=Arial size=-1><a href=http://help.yahoo.com>Help</a></font><hr size=1 noshade></td></tr></table><table width="94%" cellpadding=4 cellspacing=0><tr><td bgcolor=a0b8c8><font size=+1 face=Arial><b>Method Not Implemented</b></font></td></tr><tr><td> asdasd to /index.html not supported.<P> <p><center><hr size=1 noshade><font size=-2 face=Arial>Copyright © 2002 Yahoo! Inc. All rights reserved. <a href=http://privacy.yahoo.com>Privacy Policy</a> - <a href=http://docs.yahoo.com/info/terms/>Terms of Service</a></font></center></td></tr></table></center></body></html> Connection closed by foreign host. With carrotcapital.com, port 80: [root@lnxsrv0006 root]# tcpdump -i eth0 -n -p host www.carrotcapital.com tcpdump: listening on eth0 12:31:43.748319 192.168.0.19.55228 > 161.58.168.104.http: S 180388288:180388288(0) win 5840 <mss 1460,sackOK,timestamp 156257005 0,nop,wscale 0> (DF) [tos 0x10] 12:31:46.748611 192.168.0.19.55228 > 161.58.168.104.http: S 180388288:180388288(0) win 5840 <mss 1460,sackOK,timestamp 156257305 0,nop,wscale 0> (DF) [tos 0x10] 12:31:52.749195 192.168.0.19.55228 > 161.58.168.104.http: S 180388288:180388288(0) win 5840 <mss 1460,sackOK,timestamp 156257905 0,nop,wscale 0> (DF) [tos 0x10] 12:32:04.750363 192.168.0.19.55228 > 161.58.168.104.http: S 180388288:180388288(0) win 5840 <mss 1460,sackOK,timestamp 156259105 0,nop,wscale 0> (DF) [tos 0x10] 12:32:28.752699 192.168.0.19.55228 > 161.58.168.104.http: S 180388288:180388288(0) win 5840 <mss 1460,sackOK,timestamp 156261505 0,nop,wscale 0> (DF) [tos 0x10] 12:33:16.757371 192.168.0.19.55228 > 161.58.168.104.http: S 180388288:180388288(0) win 5840 <mss 1460,sackOK,timestamp 156266305 0,nop,wscale 0> (DF) [tos 0x10] [root@lnxsrv0006 mqueue]# telnet www.carrotcapital.com 80 Trying 161.58.168.104... telnet: connect to address 161.58.168.104: Connection timed out Packet trace from the firewall: tcpdump: listening on eth-s1p1c0 17:54:17.834569 63.211.90.117.55305 > 161.58.168.104.80: S:(0) win 5840 <mss 1460,sackOK,timestamp 156752368[|tcp]> (DF) [tos 0x10] 17:54:20.833700 63.211.90.117.55305 > 161.58.168.104.80: S:(0) win 5840 <mss 1460,sackOK,timestamp 156752668[|tcp]> (DF) [tos 0x10] 17:54:26.833789 63.211.90.117.55305 > 161.58.168.104.80: S:(0) win 5840 <mss 1460,sackOK,timestamp 156753268[|tcp]> (DF) [tos 0x10] 17:54:38.833929 63.211.90.117.55305 > 161.58.168.104.80: S:(0) win 5840 <mss 1460,sackOK,timestamp 156754468[|tcp]> (DF) [tos 0x10] 17:55:02.834415 63.211.90.117.55305 > 161.58.168.104.80: S:(0) win 5840 <mss 1460,sackOK,timestamp 156756868[|tcp]> (DF) [tos 0x10] Looks like the 3way handshake is not being completed for some addresses; Rigth now i'm not able to confirm if the problem is ours (firewall or ISP). The Nokia log tool doesn't show anything weird andwe don't have a rule that blocks some domains and allow others (actually we allow our machines to talk with the outside world without a problem). Has anyone has faced this problem before? What else i can do to be sure than is the firewall and not something else that is giving us problems? Thanks in advance. JV ===== José Vicente Nuñez Zuleta ([email protected]) Newbreak System Administrator (http://www.newbreak.com) Office Phone:,Fax:Cellular Phone:__________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|