Re: Ipchains and smtp rule

From: Mogens Valentin (
Date: 11/23/01

Message-ID: <>
Date: Fri, 23 Nov 2001 00:50:02 +0100
From: Mogens Valentin <>
To: focus-linux <>
Subject: Re: Ipchains and smtp rule

Brian Hatch wrote:
> > > If I do a telnet mailserver 25, i get a roughly 30 sec delay.
> > > I've seen remarks about exactly that kind of delay on various lists
> > > before, and it's usually a dns problem, so I'm going to check the
> > > caching nameserver setup for errors.
> It's probably due to the mail server attempting an IDENT (port 113)
> request to the client. If the client's IDENT port is silently
> ignoring this connection (ipchains DENY vs REJECT) then it takes
> a while before the mail server gives up. This timeout is usually
> configurable.

Sure. I'm REJECT'ing port 111/113. Maybe I should install fakeidentd.
Anyway, I guess the problem is either some icmp thingy I'm missing, or
the fact that I do both ingress/egress filtering (rp_filter=3) in /proc
If firewall is and mailserver is, how on earth do
traffic get through between them with rp_filter=3 ? Seems I've messed up
I'll check those and dns conf tomorrow (well, today :-).

Thanks to all so far for good ideas.
And well, the whole mess was due to a missing switch on the dmz. I'm not
doing the shopping, my customer is, and the prefer a specific HW-shop ;-
At least I learn a few more bits'n'tweaks.

           Mr Dev - Mogens Valentin -
OpenSource Security - Networking - Programming

C makes it easy to shoot yourself in the foot. With C++ it's harder, but if you succed, you'll shoot off the whole leg. - Bjarne Stroustrup (freely translated from Danish)

Relevant Pages

  • Re: iptables firewall script for linux
    ... "ipchains: Incompatible with this kernel". ... port is shown as LISTENING. ... What's wrong with reading the HOWTOs? ... included for their basic firewall concepts. ...
  • Re: [ISA 2004] transparenter Proxy
    ... Das Filtern auf TCP Flags war bei IPCHAINS ... deshalb freu ich mich auf den ISA ... > die Sache indem du ein Portscanner verwendest und deinen absender Port auf ... Ich habe einen Portscanner auf das ...
  • Re: Coyote IP Chains?
    ... > Using Sygate's online scanner it seems that Coyote Linux allows external ... > Sygate still is indicating the port is open which leads me to believe I ... Try this ruleset instead (my ipchains syntax might be a little off ... familiarize yourself with nmap; ...
  • Re: My customers are going back to NT if I cant get this fixed!!!
    ... What if he's using ipchains instead of iptables? ... 'lokkit' choose the customise option ... >> its authentication information over port 4000. ...