Adventures with the Fisher Price My First Firewall
I’m writing this blog entry for therapeutic reasons. Everything you need to know is in the link below. Readers are invited to share the worst anti-features they have found in network devices by posting a comment.
I had a strange problem sending email from a host. I first discovered that trac couldn’t send messages via a remote smtp server. It would just hang indefinitely. So I decided it was better to set up exim on the local box, and have trac send mail using that – at least it wouldn’t hang.
Unfortunately, exim wouldn’t send messages either.
At this stage, we were using the same smtp server – exim was configured to use it as a smart host.
We discounted any firewall problems immediately, because we could establish a connection. We didn’t immediately notice that we didn’t get an initial message from the server. When we did, we assumed it was because the server wasn’t sending it for some reason, and started checking on things like DNS.
This got us nowhere.
Then I noticed that if I typed HELO
At this point, I decided I would use tshark to check on what the smtp server was doing, and discovered that actually, it was sending the 220, and resending it a good few times too, it just never turned up at the end.
This turned my attention to the Zyxel firewall we were using.
It turns out that a ‘feature’ of the firewall designed to prevent spam prevented as receiving anything from the server on the connection until we had sent something on the connection. This feature is particularly ridiculous, since most spam mail clients don’t bother to try and synchronize with the server, so only spam would get through while legitimate clients would not.
We gather a firmware upgrade has solved this problem, but letting a firewall release into the wild without checking you could send email through it is a spectacular screw up – enough to convince me never to buy from this brand again, anyway.
Thanks Simon, for dubbing this product the ‘Fisher Price My First Firewall’.
Thanks Lucas Beeler for blogging about it here.
Thanks Zyxel for wrecking my day.