Re: Ipchains and smtp rule

From: Mogens Valentin (monz@danbbs.dk)
Date: 11/23/01


Message-ID: <3BFD8F2A.3CCE4D62@danbbs.dk>
Date: Fri, 23 Nov 2001 00:50:02 +0100
From: Mogens Valentin <monz@danbbs.dk>
To: focus-linux <focus-linux@securityfocus.com>
Subject: Re: Ipchains and smtp rule

Brian Hatch wrote:
>
> > > If I do a telnet mailserver 25, i get a roughly 30 sec delay.
> > > I've seen remarks about exactly that kind of delay on various lists
> > > before, and it's usually a dns problem, so I'm going to check the
> > > caching nameserver setup for errors.
>
> It's probably due to the mail server attempting an IDENT (port 113)
> request to the client. If the client's IDENT port is silently
> ignoring this connection (ipchains DENY vs REJECT) then it takes
> a while before the mail server gives up. This timeout is usually
> configurable.

Sure. I'm REJECT'ing port 111/113. Maybe I should install fakeidentd.
Anyway, I guess the problem is either some icmp thingy I'm missing, or
the fact that I do both ingress/egress filtering (rp_filter=3) in /proc
.
If firewall is 10.0.0.2 and mailserver is 10.0.0.3, how on earth do
traffic get through between them with rp_filter=3 ? Seems I've messed up
things..
I'll check those and dns conf tomorrow (well, today :-).

Thanks to all so far for good ideas.
And well, the whole mess was due to a missing switch on the dmz. I'm not
doing the shopping, my customer is, and the prefer a specific HW-shop ;-
At least I learn a few more bits'n'tweaks.

-- 
Regards,
           Mr Dev - Mogens Valentin
    http://www.mrdev.com - mrdev@danbbs.dk
OpenSource Security - Networking - Programming

C makes it easy to shoot yourself in the foot. With C++ it's harder, but if you succed, you'll shoot off the whole leg. - Bjarne Stroustrup (freely translated from Danish)