Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 10198 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam Resolver + Spoof protection

Jim Tagert
Here's the deal...

With spoof protection on "strict" I'm getting thousands of Ack Psh Fin packets logged each day. With spoof protection on "normal" I get less but still too many. The culprit is:

64.191.223.35 or c2resolver1.ctmail.com or "full request (post)" = http://resolver1.ast.ctmail.com/spamresolverNG/spamresolver.dll?DoNewRequest

Other than turning off the spoof protection entirely (Which I did. It worked.) or turning the email protection off (Which I did. It worked.) does anyone have an idea that might reduce the number of log entries for what I think is legitimate traffic?

Thanks.


This thread was automatically locked due to age.
  • 0
    Hi,

    UTM version # please?

    I've seen this myself in 9.106; I don't know if Sophos is looking into it.

    Barry
  • 0 in reply to BarryG
    Firmware Version is 9.109-7-1
  • 0
    Hi, since no one else has responded, I'd recommend opening a support case if you have a business license.

    Barry
  • 0
    Jim,

    What happens with 'Spoof protection: Normal' and 'Use strict TCP session handling' not checked?

    I'd also try #1 in Rulz.  Depending on what one of the lines from the Firewall log says, the right solution might be to drop the traffic silently with a new Firewall rule, or maybe slightly adjust one of the timeouts.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Jim,

    What happens with 'Spoof protection: Normal' and 'Use strict TCP session handling' not checked?

    I'd also try #1 in Rulz.  Depending on what one of the lines from the Firewall log says, the right solution might be to drop the traffic silently with a new Firewall rule, or maybe slightly adjust one of the timeouts.

    Cheers - Bob


    I'll let you know in a bit...
  • 0 in reply to Jim Tagert
    "Spoof protection: Normal" and "Use strict TCP session handling" not checked  = Zero Logged packets

    "Spoof protection: Strict" and "Use strict TCP session handling" not checked  = Zero Logged

    "Spoof protection: Strict" and "Use strict TCP session handling" checked  = Many Logged Packets

    So "Use strict TCP session handling" was the setting and not "Spoof protection: Strict"...

    From the manual: "Use strict TCP session handling: By default, the system can "pick up" existing TCP connections that are not currently handled in the connection tracking table due to a network facility reset. This means that interactive sessions such as SSHSecure Shell and Telnet will not quit when a network interface is temporarily unavailable. Once this option is enabled, a new three-way handshake will always be necessary to re-establish such sessions. It is generally recommended to leave this option turned off."

    Why doesn't the UTM have a Connection Tracking table (url or ip address specific) to track the internal spam resolver(s)? 

    What is the intended purpose of "Use strict TCP session handling"? Under what what circumstances should a user turn on the feature?

    A FW Rule doesn't work. Apparently, the "Use strict TCP session handling" evaluation takes place before the packet filter rules are referenced.
  • 0
    Apparently, the "Use strict TCP session handling" evaluation takes place before the packet filter rules are referenced.

    I would have to see a line or two from the Firewall log file.  Maybe the traffic selector in the Firewall rule just needs to have a different destination.

    Google site:astaro.org "Use strict TCP session handling".

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    We should look at a picture of the rule and a line from the firewall log demonstrating that it was not applied.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Two rules both at top most position

    1) 64.191.223.35 (c2resolver1.ctmail.com) --> any --> any

    2) any --> any --> 64.191.223.35 (c2resolver1.ctmail.com)

    Snap shot of rules enclosed.

    Definition bound to "any"
    Action set to "Drop".
    Log Traffic checked.

    ***.***.***.*** is the gateway ip address.
    XX:XX:XX:XX:XX:XX is the MAC address of the gateway card.

    With "Use strict TCP session handling" checked log is:

    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 

    As you can see, the traffic is from the UTM and its own "strict" evaluator doesn't like its own traffic.

    Can you explain it?
Unfiltered HTML