Re: Ipchains and smtp ruleFrom: Mogens Valentin (email@example.com)
- Previous message: Brian Hatch: "Re: Ipchains and smtp rule"
- In reply to: Brian Hatch: "Re: Ipchains and smtp rule"
- Next in thread: Mike Bartling: "Re: Ipchains and smtp rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BFD8F2A.3CCE4D62@danbbs.dk> Date: Fri, 23 Nov 2001 00:50:02 +0100 From: Mogens Valentin <firstname.lastname@example.org> To: focus-linux <email@example.com> Subject: Re: Ipchains and smtp rule
Brian Hatch wrote:
> > > If I do a telnet mailserver 25, i get a roughly 30 sec delay.
> > > I've seen remarks about exactly that kind of delay on various lists
> > > before, and it's usually a dns problem, so I'm going to check the
> > > caching nameserver setup for errors.
> It's probably due to the mail server attempting an IDENT (port 113)
> request to the client. If the client's IDENT port is silently
> ignoring this connection (ipchains DENY vs REJECT) then it takes
> a while before the mail server gives up. This timeout is usually
Sure. I'm REJECT'ing port 111/113. Maybe I should install fakeidentd.
Anyway, I guess the problem is either some icmp thingy I'm missing, or
the fact that I do both ingress/egress filtering (rp_filter=3) in /proc
If firewall is 10.0.0.2 and mailserver is 10.0.0.3, how on earth do
traffic get through between them with rp_filter=3 ? Seems I've messed up
I'll check those and dns conf tomorrow (well, today :-).
Thanks to all so far for good ideas.
And well, the whole mess was due to a missing switch on the dmz. I'm not
doing the shopping, my customer is, and the prefer a specific HW-shop ;-
At least I learn a few more bits'n'tweaks.
-- Regards, Mr Dev - Mogens Valentin http://www.mrdev.com - firstname.lastname@example.org OpenSource Security - Networking - Programming
C makes it easy to shoot yourself in the foot. With C++ it's harder, but if you succed, you'll shoot off the whole leg. - Bjarne Stroustrup (freely translated from Danish)