Legitimate traffic rejected



  • Hi,

    I have a firewall rule that allows traffic from any hosts on TCP port 1352 (Domino replication). The rule works mostly : when I enable logging, I can see packets being accepted. However some packets are rejected : they are TCP:S and TCP:A packets. This is not only cosmetic as my Domino admin reports that some replication connections 'timeout'.

    I had the problem with version 1.2.3 and I still have the problem with version 2.0.

    Can someone explain why only some packets are rejected and what setting(s) I could tune to avoid this?

    Thanks.



  • In think this has something to do with the work of a "stateful firewall" which only allows traffic for a legit connection/state. And if there is no state (because of long timeout) then the firewall dropps this packets.

    perhaps you could create a single firewall rule for TCP port 1352 and then scroll down to "State Type" and then there select "none". This rule should be on top of the other rules. Perhaps this will help but I am not too sure if "state type" will fix this.



  • You could also try setting System -> Advanced -> Firewall/NAT -> Firewall Optimization Options to "conservative" so that states do not time out as quickly.



  • @podilarius :

    I'm already running in conservative mode.

    @Nachtfalke :

    I tried setting 'State Type' to 'none' but it generates a lot of rejected TCP:SA packets.



  • Hmm - as I said I am not sure if this will help. Perhaps you could play with the other state types for testing purposes.



  • @Nachtfalke:

    Hmm - as I said I am not sure if this will help. Perhaps you could play with the other state types for testing purposes.

    I had issue with ICA 1494 and "conservative" did nothing so I used "High Latency Link" and that did the trick, I think.



  • What type of internet connection are you on?



  • This is internal traffic : my remote site is connected with a 100 Mbps link.



  • Does the Domino replication send keep alive packets? If not, can it be configure to do so? Otherwise you will have to use the "high latency", which is the one with the longest state timeout … iirc.



  • Here's the output of a rejected packet from the console :

    00:00:01.005635 rule 198/0(match): block in on bge0: mypc.internal.net.tpdu > dominoserver.internal.net.lotusnote:  tcp 21 [bad hdr length 0 - too short, < 20]


Locked