Remote shell troubleshooting

Question

Hello, everybody.

Please, if this is not the right place, tell me where I should send this question.

A TWAIN driver installed in a workstation uses remote shell (RSH) to connect to a multifunction printer in other subnet in order to scan through the network. A Checkpoint firewall routes packets between both networks and the right ACLs have been configured.

The first command sent by the workstation instructs the MFP to redirect standard error (stderr) console to port 1022. After exchanging usernames, then the next TCP stream appears:

No. Time           Source      Destination Protocol Length Info
6 REF          MFP_Printer Scanning_WS TCP      74     1023 > 1022 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0
7 0.000070000    Scanning_WS MFP_Printer TCP      74     1022 > 1023 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 TSval=175963 TSecr=0
8 0.000778000    MFP_Printer Scanning_WS TCP      66     1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=0 TSecr=175963
13 0.005591000    Scanning_WS MFP_Printer TCP      68     1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175963 TSecr=0
15 0.310455000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=175994 TSecr=0
16 0.918846000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176055 TSecr=0
17 2.135649000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176176 TSecr=0
18 4.538069000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176417 TSecr=0
19 9.358490000    Scanning_WS MFP_Printer TCP      68     [TCP Retransmission] 1022 > 1023 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=2 TSval=176899 TSecr=0
20 18.968060000   Scanning_WS MFP_Printer TCP      54     1022 > 1023 [RST, ACK] Seq=3 Ack=1 Win=0 Len=0
21 18.968948000   MFP_Printer Scanning_WS TCP      66     [TCP Dup ACK 8#1] 1023 > 1022 [ACK] Seq=1 Ack=1 Win=17520 Len=0 TSval=38 TSecr=175963
22 18.968985000   Scanning_WS MFP_Printer TCP      54     1022 > 1023 [RST] Seq=1 Win=0 Len=0

As you can see, TCP connection is created by MFP_Printer. After syncing, I would expect that frame 13 should be MFP_Printer transmitting data to Scanning_WS, but it is not, it’s just the opposite.

The firewall (the IPS, I guess) is dropping this packet, reporting “Violated unidirectional connection”. TCP Retransmissions work as expected until the connection is eventually reset.

So the questions are:

After correct TCP three-way handshake, the peer which sent the TCP SYN should be the peer transmiting data. Is it right?

Is this remote shell behaviour a non-standard behaviour?

Is it a wrong design related to the driver or to the linix running in the MFP?

I need to understand what’s happening in order to provide some solution, so any information will be greatly appreciated.

Regards.

Answer 1

I'm not sure how the RSH protocol should look, but I suspect that the twain driver is not using the remote shell protocol, or at least not a compliant version of it. So if you instruct your checkpoint firewall (or the IDS) to interpret the data as RSH, then you might run into a violation.

Can you disable the protocol inspection and just let the traffic through based on the TCP ports.