Hello, everybody.
Please, if this is not the right place, tell me where I should send this question.
A TWAIN driver installed in a workstation uses remote shell (RSH) to connect to a multifunction printer in other subnet in order to scan through the network. A Checkpoint firewall routes packets between both networks and the right ACLs have been configured.
The first command sent by the workstation instructs the MFP to redirect standard error (stderr) console to port 1022. After exchanging usernames, then the next TCP stream appears:
[list]No. Time Source Destination Protocol Length Info
6 REF MFP_Printer Scanning_WS TCP 74 1023 > 1022 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0
7 0.000070000 Scanning_WS MFP_Printer TCP 74 1022 > 1023 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 TSval=175963 TSecr=0
8 0.000778000 MFP_Printer Scanning_WS TCP 66 1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=0 TSecr=175963
13 0.005591000 Scanning_WS MFP_Printer TCP 68 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175963 TSecr=0
15 0.310455000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175994 TSecr=0
16 0.918846000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176055 TSecr=0
17 2.135649000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176176 TSecr=0
18 4.538069000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176417 TSecr=0
19 9.358490000 Scanning_WS MFP_Printer TCP 68 [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176899 TSecr=0
20 18.968060000 Scanning_WS MFP_Printer TCP 54 1022 > 1023 [RST, ACK] Seq=3 Ack=1 Win=0 Len=0
21 18.968948000 MFP_Printer Scanning_WS TCP 66 [TCP Dup ACK 8#1] 1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=38 TSecr=175963
22 18.968985000 Scanning_WS MFP_Printer TCP 54 1022 > 1023 [RST] Seq=1 Win=0 Len=0
[/list:u]
As you can see, TCP connection is created by MFP_Printer. After syncing, I would expect that frame 13 should be MFP_Printer transmitting data to Scanning_WS, but it is not, it’s just the opposite.
The firewall (the IPS, I guess) is dropping this packet, reporting “Violated unidirectional connection”. TCP Retransmissions work as expected until the connection is eventually reset.
So the questions are:
After correct TCP three-way handshake, the peer which sent the TCP SYN should be the peer transmiting data. Is it right?
Is this remote shell behaviour a non-standard behaviour?
Is it a wrong design related to the driver or to the linix running in the MFP?
I need to understand what’s happening in order to provide some solution, so any information will be greatly appreciated.
Regards.