Watchguard vs. Tiscali and POP3 Messages with missing dates

  • 25/09/2011 08:00:00

<p>A couple of problems I've been dealing with in time that sometimes comes up. An Italian service provider (tiscali.it) website refreshing or webmail not authenticating the user, or a POP3 client that does not show dates on incoming messages when using -

A couple of problems I've been dealing with in time that sometimes comes up. An Italian service provider (tiscali.it) website refreshing or webmail not authenticating the user, or a POP3 client that does not show dates on incoming messages when using -

It happens from time to time to experience strange behaviors on client side when they browse the Internet or use their computers. Typically this is due to some restriction, in particular when using a higher leve firewall to control the traffic.

These are a couple of things that I have dealt with lately here while working on Watchguard Firebox and XTM firewalls.

While accessing an Italian website (Tiscali.it) the home page kept refreshing, making it unusable. After a short analysis I found out a header being stripped was the cause. Adding the following rule solved the problem within the HTTP Proxy policy:

cp-widget-boundary:* Allow

(you can find it also here)

A client using Microsoft Outlook 2000 (!!!!!!) was downloading messages with no date reported by the client. This wa a little curious, since it seemed a bit odd, in fact the default POP3 policy was stripping a bit more than I would usually do. Therefore I added a couple of changes.

Date: * Allow
Received: * Allow
Thread-* Allow (to allow Outlook threading)

I found the first two strips a bit excessive, but as of today I didn't have time to report it to their support yet (found on version 11.3.3 XTM)
Last but not least an FTP restriction using filezilla server. The client was unable to retreive the directory listing because of a policy. After a short investigation I found the command not allowing the directory retreival. All was needed to solve the issue was adding MSLD command to be allowed.

I find all this research is quite common, I can't complain because a vendor decided to tighten a security policy, I wouldn't complain because the firewall did his job more than perfectly. What really pisses me off is that when contacting development counterparts you get a set of complains about their work being... complained. I mean hey! I didn't complain your job just asked you if it's a common behavior and how your application works! As a result of some discussions you usually get the answer "oh yeah, we are aware of it. You need to open your firewall". Did he hear what he just said?

As far as it goes on, it's really hard to get things working. Basically I think I am able to fix things because I know where to look, possibly because I've studied protocols and know how they do work. Please, tell me a Senior System Engineer doesn't know how the HTTP protocol worksm really. Juniors should (but that's another story). Anyways, getting things working is sormehow easy, when you know where to look at. Having the support of a Vendor that helps you in solving problems as well as fixing those in future releases makes it even better living. But as of the rest, it's a living hell.

Well, as far as that, I try to do less exceptions as possible, wondering if things are gonna change in a near/distant/farfarfar future. :-)

  • Contacts

Data Protection & Copyright

RIGHTS CHAIN LTD.

Networking & IT

Coming soon

Social Profile