I am having trouble with Sun Unix NFS and NIS between two servers, one that is outside the firewall (192.168.20.1) and the NFS/NIS server (192.168.10.1) that is inside. Even though I have NFS selected as an allowed protocol, it appears that we get frequent denials from the inside zone to the outside zone between these two servers an high port numbers. So rather than fight this, I added a rule as follows using SDM. My question is... Is this the proper way to specify a zone based rule where I want to allow ALL protocols? SDM says if you do not specifically ADD a protocol, it allows ALL protocols; however, if you look further below at my syslog, it is obvious this this is not working. I have also noticed that the cause of this is due to a Stray Segment with ip ident 0. Can anyone tell me if this is due to my rule or what could cause a "stray segment" if that is the cause? Thanks in advance.
-------------------------------------------------------------------
class-map type inspect match-all cls-sum-gc3_server_in_out
match access-group name acl-gc3_server_in_out
policy-map type inspect pm-inspect-in-out
class type inspect cls-sum-gc3_in_out
inspect pm-increase_tcp_idle_timeout
class type inspect cls-sum-gc3_server_in_out
inspect
class class-default
drop
zone-pair security zp-in-out source GC3-zone destination ULA-Corp-zone
service-policy type inspect pm-inspect-in-out
ip access-list extended acl-gc3_server_in_out
remark SDM_ACL Category=128
permit ip host 192.168.10.1 192.168.0.0 0.0.255.255
-------------------------------------------------------------------
syslog denial examples
Jul 21 13:22:40 silrt0g1 19060: Jul 21 13:22:39.547: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.1:908 192.168.20.1:61395 due to Stray Segment with ip ident 0
Jul 21 13:37:25 silrt0g1 19061: Jul 21 13:37:24.551: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.1:908 192.168.20.1:61505 due to Stray Segment with ip ident 0
Jul 21 13:43:19 silrt0g1 19064: Jul 21 13:43:18.330: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61515 192.168.10.1:908 due to Stray Segment with ip ident 0
Jul 21 14:20:59 silrt0g1 19075: Jul 21 14:20:58.692: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61742 192.168.10.1:908 due to Stray Segment with ip ident 0
Jul 21 14:25:44 silrt0g1 19076: Jul 21 14:25:43.470: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61770 192.168.10.1:908 due to Stray Segment with ip ident 0