Debugging an SMTP connection through a NetScreen Firewall

After configuring a Juniper Networks NetScreen firewall to allow email to be sent to accounts on a Simple Mail Transfer Protocol (SMTP) server on the trusted side of the firewall, I attempted to connect to the SMTP port, port 25, on the email server from a system outside of the firewall with telnet 25, but saw the message below, instead of the Postfix banner from the email server:
$ telnet 25
telnet: connect to address No route to host

You can debug flows through a NetScreen firewall via the command line interface (CLI), which you can reach using a Secure Shell (SSH) connection to the system, by setting a filter to filter on only the traffic of interest in conjuction with using the debug command. You can use the get ffilter command to see if there are any existing filters in place, which you may need to delete. You can then use the set ffilter command to set a filter that will allow you to filter the traffic only on the particular network port of interest. Then clear the debug buffer using the clear db command and then set debugging on with debug flow basic.

netscreen-> get ffilter
netscreen-> set ffilter dst-port 25
filter added
netscreen-> clear db
netscreen-> debug flow basic

After I had issued the above commands, I tried another telnet connection to port 25 on the destination email server. Then at the command prompt on the firewall, I examined the debug buffer. The options available for the get db command are shown below:

Generic Category (English)120x600
netscreen-> get db ?
info                 show debug buffer info
mem                  show debug buffer memory content
stream               show debug buffer stream

To view the captured data, I issued the get db str command and saw the following:

netscreen-> get db str
****** 72192.0: <Untrust/untrust> packet received [60]******
  ipid = 24460(5f8c), @000ca84e
  packet passed sanity check.
  chose interface untrust as incoming nat if.
  search route to (> in vr trust-vr for vsd-0/flag-0/ifp-null
  route>, to trust
  routed (, from untrust (untrust in 0) to trust 
  policy search from zone 1-> zone 2
  Permitted by policy 18
  No src xlate   choose interface trust as outgoing phy if
  no loop on ifp trust.
  session application type 7, name SMTP, timeout 1800sec
  service lookup identified service 0.
  install vector flow_ttl_vector
  install vector flow_tcp_syn_mss_vector
  install vector flow_tcp_proxy_vector
  install vector flow_tcp_fin_vector
  install vector flow_l2prepare_xlate_vector
  install vector flow_frag_list_vector
  install vector flow_fragging_vector
  install vector flow_shape_vector
  install vector flow_send_vector
  install vector flow_shape_npak_vector
  install vector flow_send_npak_vector
  install vector NULL
  create new vector list 13-1645c80.
  Session (id:1512) created for first pak 13
  route to
  arp entry found for
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 1512
  post addr xlation:>
  packet send out to 4c72b99cb83c through trust

That showed me that the traffic was reaching the firewall from the external system and was being passed through the firewall to the destination server, which indicated to me that the problem was likely on the destination email server itself, which employs host-based firewall software. The policy permitting the traffic to pass through to the email server is policy id 18 as seen in the above output. You can get the details for a policy with the command get policy id num where num is the applicable policy id, e.g., get policy id 18.

Related Articles

  1. Configuring a NetScreen Firewall for an SMTP server from the CLI
    Created: August 14, 2016
    MoonPoint Support
  2. Configuring a NetScreen Firewall for an Internal SMTP Server
    Created: April 12, 2009
    MoonPoint Support
  3. Troublehsotting POP3S connections through a NetScreen firewall
    Created: July 22, 2016
    MoonPoint Support
  4. Configuring Juniper NetScreen firewall rule from command line
    Created: January 6, 2015
    MoonPoint Support


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px