technology from back to front

Adventures with the Fisher Price My First Firewall

I’m writing this blog entry for therapeutic reasons. Everything you need to know is in the link below. Readers are invited to share the worst anti-features they have found in network devices by posting a comment.

I had a strange problem sending email from a host. I first discovered that trac couldn’t send messages via a remote smtp server. It would just hang indefinitely. So I decided it was better to set up exim on the local box, and have trac send mail using that – at least it wouldn’t hang.

Unfortunately, exim wouldn’t send messages either.

At this stage, we were using the same smtp server – exim was configured to use it as a smart host.

We discounted any firewall problems immediately, because we could establish a connection. We didn’t immediately notice that we didn’t get an initial message from the server. When we did, we assumed it was because the server wasn’t sending it for some reason, and started checking on things like DNS.

This got us nowhere.

Then I noticed that if I typed HELO into the connection I did get a response. Eventually I noticed I could type anything into the connection, and get the initial 220 back from exim.

At this point, I decided I would use tshark to check on what the smtp server was doing, and discovered that actually, it was sending the 220, and resending it a good few times too, it just never turned up at the end.

This turned my attention to the Zyxel firewall we were using.

It turns out that a ‘feature’ of the firewall designed to prevent spam prevented as receiving anything from the server on the connection until we had sent something on the connection. This feature is particularly ridiculous, since most spam mail clients don’t bother to try and synchronize with the server, so only spam would get through while legitimate clients would not.

We gather a firmware upgrade has solved this problem, but letting a firewall release into the wild without checking you could send email through it is a spectacular screw up – enough to convince me never to buy from this brand again, anyway.

Thanks Simon, for dubbing this product the ‘Fisher Price My First Firewall’.

Thanks Lucas Beeler for blogging about it here.

Thanks Zyxel for wrecking my day.

by
david
on
10/09/08
  1. Holger Hoffstätte
    on 10/09/08 at 5:41 pm

    As much as I have sympathy for your bad experience, “never ever” buying Zyxel again would be the worst remedy. Regardless of this bug/anti-feature, most of their kit is first rate and usually much better than the competition. My DSL Router/Firewall has had 100% uptime and reliability even under stress, for years.

    Practically all mid-range/SMB network solutions have “features” that can only be described as mindboggling to anybody with a modicum of understanding, but “it’s what the market wants”..

    My cheap-ass D-Link WLAN AP didn’t even work OOTB until I downloaded & installled a new firmware from some obscure FTP site in Asia. I could run either fast without encryption, or encrypted and slow. It died from overheating three days later, even though it was idle 95% of the time.

  2. Holger,

    Well, ZyXEL stuff.. The ZyWALL 5 firmware has most of it’s kinks worked out, but we had several customers that bought USG 100/200, and are really, really unhappy with them.

    We’ve moved from ZyXEL Firewalls in the lowest end of our customers over to SonicWALL Appliances. Even though they’re a good chunk more expensive. At least their Support doesn’t suck as much as the Swiss ZyXEL Support.

    ZyXEL Switches on the other hand, i never had much issues with them. They may have a clunky web interface, but they work.

 
 


8 − = five

2000-14 LShift Ltd, 1st Floor, Hoxton Point, 6 Rufus Street, London, N1 6PE, UK+44 (0)20 7729 7060   Contact us