I had the same problem with FTP through a firewall. The two fixes are to allow IDENT to pass through, which works, but is not necessary. The fix I prefer is to have the firewall rule Reject the IDENT packets instead of Dropping them. -----Original Message----- From: Valdis Kletnieks [mailto:[log in to unmask]] Sent: Tuesday, October 01, 2002 8:20 PM To: [log in to unmask] Subject: Re: Packet Filtering Problem On Tue, 01 Oct 2002 16:22:34 EDT, Scott Thomas <[log in to unmask]> said: > a DNS problem), but cannot find the mailer. When I disable packet filtering, > outgoing messages are released and the Resolver tool locates both > home.ease.lsoft.com and the mail server at that location. All outbound ports > are open, but apparently an inbound port on our Listserv server needs to be > opened somewhere. Can anyone advise on which port? It seems Most likely, what is happening is that you're making an OUTBOUND connection to the other system's port 25 (SMTP), and it's calling you back on port 113 (IDENT). I'm guessing your firewall is dropping the SYN packet being sent to your port 113, and the other end is doing one of 2 things: 1) Their timeout for the IDENT connection is longer than the timeout to get the SMTP connection open, so it cans the SMTP because it had to wait too long. 2) Their software is misinterpreting the unreachability of port 113 as the unreachability of the entire host. This can be made even worse by firewall software that sends an ICMP Host Unreachable instead of an ICMP Port Unreachable. When you turn off the filtering, the SYN packet makes it to your system almost instantaneously, your end probably sends an RST packet back because you don't have IDENT running (or it answers the query if it is), the other end is happy, and things move right along. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech