 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#1
01-24-2007, 04:50 PM
|
Re: Connection Closed vs. Timed Out when blocking port
It is working just the way it is supposed to work.
"Connection Closed" means that it connected normally and properly and then closed normally and properly. The timout means it was never allowed to connect in the first place,...which is what is supposed to happen with a Deny Rule. When something is denied the Client is supposed to remain "blind & stupid",..it is not supposed to know it is being denied,...it is supposed to just think the connection doesn't exist,...hence it keeps trying until it times out. -- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com The views expressed are my own (as annoying as they are), and not those of my employer or anyone else associated with me. ----------------------------------------------------- "Moshe Rosenberg" <(E-Mail Removed)> wrote in message news:FADFC149-D045-4620-A3C6-(E-Mail Removed)... >I need to block port 25 on Windows 2000, but when I do so via a deny rule in > RRAS what happens is that clients tring to connect to not get a TCP RST > reply, so the connection just times out. On the other hand, if port 25 IS > open but just there is no listener on that port it the reply will be > "Connection Closed" with a TCP RST reply. > > Is there any way to change the behaviour for this rule so that it will close > the connection via a TCP RST reply? Any registry changes? > > Phillip Windell 
|
|
#2
01-24-2007, 06:28 PM
|
|||
|
|||
|
Re: Connection Closed vs. Timed Out when blocking port
"Moshe Rosenberg" <(E-Mail Removed)> wrote in message
news:8C2F3C60-F58E-4D90-BEE9-(E-Mail Removed)... > Thank you. Very well articulated. > > We had a solution that we implemeted that works for us: We NATed port 25 to > a port that will never we used. Why? There is no point in that. You said originally that you wanted to block port 25 on a server,...if there is no SMTP service running on the server, then there simply is no port 25 to begin with,...so there is nothing to block. If there is an SMTP service running on the server for a particular reason and only certain things are allowed to connect to it,...then that is controlled within the SMTP Service itself. I think you are trying to solve problems that don't exist. -- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com The views expressed are my own (as annoying as they are), and not those of my employer or anyone else associated with me. -----------------------------------------------------
|
|
#3
01-25-2007, 03:33 PM
|
|||
|
|||
|
Re: Connection Closed vs. Timed Out when blocking port
Okay, so here is the full picture so you can understand where I am coming from:
We implemented this concept called "Nolisting" to prevent spam. Check this out: http://www.joreybump.com/code/howto/nolisting.html It has worked wonders, and has blocked about 90% of spam directed to our network, with no false positives yet. One of the suggestions there to improve email delivery times is to make sure that the primary MX server responds back "connection refused", and not "timed out" since otherwise email will be delayed 20 seconds. What i was struggleing with is that let's assume that on that primary MX server for some reason SMTP gets turn on by mistake on port 25 them we will have a crisis that all email will bounce. But blocking port 25 does not refuse the connection. allowing it to be open does, but risks SMTP being turned on. I was in a quandry. As I mentioned, I resolved this by redirecting incoming port 25 via NAT to a port that does not exists. So even if SMTP gets turned on, it will listen on it's local port 25 which will do nothing... I hope this makes sense to you. I would love to hear your comments. "Phillip Windell" wrote: > "Moshe Rosenberg" <(E-Mail Removed)> wrote in message > news:8C2F3C60-F58E-4D90-BEE9-(E-Mail Removed)... > > Thank you. Very well articulated. > > > > We had a solution that we implemeted that works for us: We NATed port 25 to > > a port that will never we used. > > Why? There is no point in that. > You said originally that you wanted to block port 25 on a server,...if there is > no SMTP service running on the server, then there simply is no port 25 to begin > with,...so there is nothing to block. If there is an SMTP service running on > the server for a particular reason and only certain things are allowed to > connect to it,...then that is controlled within the SMTP Service itself. > > I think you are trying to solve problems that don't exist. > > -- > Phillip Windell [MCP, MVP, CCNA] > www.wandtv.com > > The views expressed are my own (as annoying as they are), and not those of my > employer or anyone else associated with me. > ----------------------------------------------------- > > >
|
|
#4
01-25-2007, 04:06 PM
|
|||
|
|||
|
Re: Connection Closed vs. Timed Out when blocking port
"Moshe Rosenberg" <(E-Mail Removed)> wrote in message
news:8D4E074A-8634-4024-B390-(E-Mail Removed)... > What i was struggleing with is that let's assume that on that primary MX > server for some reason SMTP gets turn on by mistake on port 25 them we will > have a crisis that all email will bounce. But blocking port 25 does not > refuse the connection. allowing it to be open does, but risks SMTP being > turned on. You don't simply "turn on" SMTP, it is a specific service with IIS that has to be installed. SMTP can't be turned on if it doesn't exist on the box the start with, so just don't install it on the machine that isn't supposed to actually accept SMTP. So the first MX record points to a host record of a machine that does not have SMTP installed. The second MX Record point to a machine that actually has mail services installed and functioning. Maybe that is what you already did,...I don't know. We used to do this. The first MX was denied by a firewall. It "mostly" worked but not all the legitiment sending mail hosts responded to it properly. We dropped the whole idea. I consider it to be just a "hack" and am not interested in it. The only reason it works it because the SPAM generating applications don't follow RFC SMPT standards,...it won't take them long to figure this out and then they will adjust those apps to rollover to the secondary MX and it will all be for nothing. -- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com The views expressed are my own (as annoying as they are), and not those of my employer or anyone else associated with me. ----------------------------------------------------- Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/IS...cessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/downlo...7/ts_rules.doc Microsoft Internet Security & Acceleration Server: Guidance http://www.microsoft.com/isaserver/t...dance/2004.asp http://www.microsoft.com/isaserver/t...dance/2000.asp Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.asp Deployment Guidelines for ISA Server 2004 Enterprise Edition http://www.microsoft.com/technet/pro...isaserver.mspx -----------------------------------------------------
|
|
| Tags |
| blocking, closed, connection, port, timed |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
