Thunderbird unable to connect, Outbound SYN blocked [Resolved]

Little_Mac · March 12, 2007, 5:00pm

Herein I shall attempt to help myself solve the following problem:

Starting Sunday, 3/11/07, I am unable to connect my email client, TBird, to the internet to check my mail accounts. CFP is blocking the connection attempt by Network Rule ID 6 (the block all rule) because of SYN on the outbound from TBird.

Here’s how/when I noticed it.

Late Saturday, I decided to crank down my TB app rules as I have done my browser rules, and limit the ports (I just hadn’t done it b4). So I did that, limiting it to Ports 25, 110. Then on Sunday CAVS did a sizable update (took a few minutes), but didn’t require a reboot. TB also upgraded (the application, not extensions/themes), no reboot required. Later I checked email, to see how CavEmlSvr.exe did on CPU usage. I couldn’t connect; they all failed.

I removed the Application Rules for TB and CES. Exited CFP, restarted. Allowed with remember, for any alert that came up; same result (didn’t realize at that point it had gone into lockdown). Watched connections, saw TB connection drop. Checked logs, see the blocks for SYN.

Disabled CAVS email scan entirely. Reboot. Same thing, SYN block on TB. Still blocked, for SYN. Here’s something odd, tho… it still allowed browser to connect. Increased flood values, exited CFP, restarted, still blocked for SYN. Rebooted. Still blocked for SYN. Disabled Protocol Anlysis; exited, restarted, still blocked for SYN. Disabled Block fragmented IP datagrams, exited, restarted, still blocked for SYN. Rebooted.

This morning b4 coming to work, with Flood values increased, & Advanced Attack Detection off, tried to check again. Same thing, TB blocked because of SYN. Change to Allow All, it connected no problem.

I thought at first it was related to CAVS, since that’s a Beta. But with email scan disabled it’s still doing it, so that’s not it. Thought it might’ve been related to the rule change, but that has been reverted to the previous settings (and a reboot), so it’s not that. It’s either related to the TB update, or some CFP update (if it did one over the weekend; I have not previously filtered cpfupdat.exe’s access to the internet from home, so it could have without me knowing).

So the next questions are:

What version of TB?

What version of CFP?

answer: Don’t know. I didnt’ check; have to do that tonight, and post some relevant logs.

LM

system · March 12, 2007, 5:17pm

Assuming this is a question topic, this is the key to your answer:

Rules issue? Else, disregard this post.

Little_Mac · March 12, 2007, 5:34pm

Network Rule ID 6 is Block & Log IP Out Any/Any. It is separated from Rule ID 7 (Block & Log IP In Any/Any), and is the catch-all for anything not allowed by the preceding rules. It has been there for quite some time, without any problem. The Allow All works because, well, everything is allowed… It might work if I take the block rule out, but I shouldn’t have to, IMO, as it has been working until this point…

The SYN log entry for CFP shows that to be a DOS attempt (rather than a “synchronize” message), thus increasing the flood values and following that, disabling the advanced attack detection protocols (Misc tab). I didn’t increase the floods very far, only to 100; I wanted to go a little at a time, and just didn’t have time for all the reboots after changes (and only exiting/restarting the FW didn’t seem to help; but perhaps I didn’t get outside the 2-minute emergency mode window).

I’ve not ever had this before, with either TB or CFP. I know TB upgraded; I don’t know if any changes happened to CFP or not.

LM

system · March 12, 2007, 7:24pm

LM

A couple of things…

Can you send mail?
Start tb in ‘safe mode’ Safe Mode - MozillaZine Knowledge Base and try connecting.
Create a new profile (for testing only).
Compact the folders.

Toggie

Little_Mac · March 12, 2007, 7:39pm

No, can’t send or receive mail. Here’s how the flow goes:

Open TB. Get the message to compact folders. Choose No (I select No because if I allow it to, it errors out as it can’t do it while the app is trying to check for mail, and then I always forget to later on - I’m too old).

From there, sometimes I can get the password screen, sometimes it doesn’t get to the password screen before it times out. If I get the password in, it still times out anyway. This is because CFP is blocking it from the get-go due to the SYN thing on the Outbound connection.

I have not tried the safe start; I’ll do it this evening.

Why do you think compacting the folders will impact this situation?

system · March 12, 2007, 8:02pm

Why do you think compacting the folders will impact this situation?

I dropped that one in there because, bizarre as it seems, it solved a similar problem for me, when I couldn’t send or receive mail.

From what I understand, the .msf files in your '%profile%\mail\email account name. can be come corrupted, which ‘can’ prevent mail from being both sent and received.

I also think creating a new profile, for testing, would be useful. You can delete it once it has been tried…

Toggie

system · March 12, 2007, 8:07pm

Try setting it much higher. I remember seeing a user or mod (forgot who) who set it in the thousand range (I couldn’t believe it either).

Little_Mac · March 13, 2007, 4:00pm

Okay, this one’s done. Hooray for me, I rock! (:CLP)

Once again, I have found that it’s the dummy behind the keyboard that is the problem! Left on its own, the firewall wouldn’t have any problems. Huh!

Just goes to show you, you shouldn’t make changes to the FW when you’re sleep-deprived. So what’s the deal, you ask? Well, I’ll tell you. You were heading in the right direction, soyabeaner, of the NM rules.

Idiot user created a defined set of ports for TBird to connect in the Application Monitor, and forgot to add a matching rule in the Network Monitor. Thus, TBird couldn’t connect, and the NM doesn’t generate popups when a block rule is fired (and I no longer have the Allow Out TCP/UDP Any/Any rule).

I took a fresh look at it yesterday evening after the Little Maclet went to bed, and figured it out. Still don’t know why the logs were putting the SYN flag on it, which would seem to be flood-related, but oh well.

I don’t spend as much time on the one at home, since it’s a simpler setup; most of my in-depth time is spent at work, where that one is pretty refined for the situation there. When I work on it at home, I’m always short on time and sleep, and get to thinking I’ve already done something that in fact I haven’t.

What’s really ironic is just yesterday I told Graham1 that he needed to verify a fellow worker’s CFP settings (where they were having some difficulty) because the user had probably changed the rules and is saying they haven’t. See, I’m right; even when it’s me! ;D

LM

PS: I’ll follow up tomorrow after making sure it’s still working. Then if it is, I’ll mark the topic Resolved for other users’ benefit and lock it. Then if I need it reopened, I’ll PM myself or another Mod and request it to be reopened.

system · March 13, 2007, 4:02pm

No need to PM or thank me. I’m already here.

So far, from what I’ve seen in this forum, 100% of the time it’s a problem with rules if the Allow All works.