telnet
192.168.0.7 25, but saw the message below, instead of the
Postfix
banner from the email server:
$ telnet 192.168.0.7 25 Trying 192.168.0.7... telnet: connect to address 192.168.0.7: No route to host $
You can debug flows through a NetScreen firewall via the
command line
interface (CLI), which you can reach using a
Secure Shell (SSH)
connection to the system, by setting a filter to filter on only the traffic
of interest in conjuction with using the debug command.
You can use the get ffilter command to see if there are any
existing filters in place, which you may need to delete. You can then use
the set ffilter command to set a filter that will allow you to
filter the traffic only on the particular
network port of interest. Then clear the debug buffer using
the clear db command and then set debugging on with debug
flow basic.
netscreen-> get ffilter netscreen-> set ffilter dst-port 25 filter added netscreen-> clear db netscreen-> debug flow basic netscreen->
After I had issued the above commands, I tried another telnet connection
to port 25 on the destination email server. Then at the command prompt on
the firewall, I examined the debug buffer. The options available for the
get db command are shown below:
netscreen-> get db ? info show debug buffer info mem show debug buffer memory content stream show debug buffer stream netscreen->
To view the captured data, I issued the get db str command and
saw the following:
netscreen-> get db str ****** 72192.0: <Untrust/untrust> packet received [60]****** ipid = 24460(5f8c), @000ca84e packet passed sanity check. untrust:192.168.1.5/45743->192.168.0.7/25,6>Root> chose interface untrust as incoming nat if. search route to (192.168.1.5->192.168.0.7) in vr trust-vr for vsd-0/flag-0/ifp-null route 192.168.0.7->0.0.0.0, to trust routed (192.168.0.7, 0.0.0.0) from untrust (untrust in 0) to trust policy search from zone 1-> zone 2 Permitted by policy 18 No src xlate choose interface trust as outgoing phy if no loop on ifp trust. session application type 7, name SMTP, timeout 1800sec service lookup identified service 0. install vector flow_ttl_vector install vector flow_tcp_syn_mss_vector install vector flow_tcp_proxy_vector install vector flow_tcp_fin_vector install vector flow_l2prepare_xlate_vector install vector flow_frag_list_vector install vector flow_fragging_vector install vector flow_shape_vector install vector flow_send_vector install vector flow_shape_npak_vector install vector flow_send_npak_vector install vector NULL create new vector list 13-1645c80. Session (id:1512) created for first pak 13 route to 192.168.0.7 arp entry found for 192.168.0.7 nsp2 wing prepared, ready cache mac in the session flow got session. flow session id 1512 post addr xlation: 192.168.1.5->192.168.0.7. packet send out to 4c72b99cb83c through trust
That showed me that the traffic was reaching the firewall from the
external system and was being passed through the firewall to the destination
server, which indicated to me that the problem was likely on the destination
email server itself, which employs host-based firewall software. The policy
permitting the traffic to pass through to the email server is policy id 18
as seen in the above output. You can get the details for a policy with the
command get policy id num where num is the
applicable policy id, e.g., get policy id 18.
Related Articles