Re: Ipchains and smtp rule

From: Mogens Valentin (
Date: 11/23/01

Message-ID: <>
Date: Fri, 23 Nov 2001 00:50:02 +0100
From: Mogens Valentin <>
To: focus-linux <>
Subject: Re: Ipchains and smtp rule

Brian Hatch wrote:
> > > If I do a telnet mailserver 25, i get a roughly 30 sec delay.
> > > I've seen remarks about exactly that kind of delay on various lists
> > > before, and it's usually a dns problem, so I'm going to check the
> > > caching nameserver setup for errors.
> It's probably due to the mail server attempting an IDENT (port 113)
> request to the client. If the client's IDENT port is silently
> ignoring this connection (ipchains DENY vs REJECT) then it takes
> a while before the mail server gives up. This timeout is usually
> configurable.

Sure. I'm REJECT'ing port 111/113. Maybe I should install fakeidentd.
Anyway, I guess the problem is either some icmp thingy I'm missing, or
the fact that I do both ingress/egress filtering (rp_filter=3) in /proc
If firewall is and mailserver is, how on earth do
traffic get through between them with rp_filter=3 ? Seems I've messed up
I'll check those and dns conf tomorrow (well, today :-).

Thanks to all so far for good ideas.
And well, the whole mess was due to a missing switch on the dmz. I'm not
doing the shopping, my customer is, and the prefer a specific HW-shop ;-
At least I learn a few more bits'n'tweaks.

           Mr Dev - Mogens Valentin -
OpenSource Security - Networking - Programming

C makes it easy to shoot yourself in the foot. With C++ it's harder, but if you succed, you'll shoot off the whole leg. - Bjarne Stroustrup (freely translated from Danish)