Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

my rlogin dropped by FW

Lee_AlexLee_Alex Newbie ✭
edited October 15 in Firewall Security Services

I've rlogin server (on Solaris) with port tcp 513. When enabling to pass to FW, it dropped rlogin session. .Then I found at Monitor and System Log; showed

Event: TCP Xmas Tree Attack
Message: TCP Xmas Tree dropped
Notes: TCP Flags(s) URG ACK PSH FIN
Group: Attacks
Category: Security Services
Source Port: 513

In SonicWall it shows TCP Xmas tree, but actually it's rlogin, tcp 513.

Any suggestion would be appreciated.

Category: Firewall Security Services
Reply

Answers

  • MarkDMarkD Cybersecurity Overlord ✭✭✭
    edited October 15

    XMAS tree attack is referring to the TCP flags that are set in the Notes Field.

    In this instance four of the possible 6 flags are set

    URG ACK PSH FIN simultaneously

  • Lee_AlexLee_Alex Newbie ✭

    Thank you. May I know how can I modify these 4 flags and what flag values should I use?

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    You can't set those, the flags are within TCP stack for your device, as the source port is 513 this appears to be the Rlogin service - I'm assuming on your Solaris box (although it dose not show the source IP)

  • Lee_AlexLee_Alex Newbie ✭

    Then. I need this rlogin can pass through FW, because need to screen a traffic. What steps should I do, please?

  • Lee_AlexLee_Alex Newbie ✭
    edited 8:23AM

    I requested SonicWall technical support. The solutions::

    1. allow tcp urgent package,
    2. allow management traffic.

    Thanks.

Sign In or Register to comment.