Mailinglist Archive: opensuse-security (575 mails)
| < Previous | Next > |
Re: [suse-security] SMTP response without SYN ...
- From: Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: 12 Nov 2002 11:09:09 +0200
- Message-id: <1037092149.1750.34.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
On Tue, 2002-11-12 at 00:54, Steffen Dettmer wrote:
> * Ray Leach wrote on Mon, Nov 11, 2002 at 11:04 +0200:
> > Can anyone explain how it is possible that a machine can 'respond' to
> > SMTP traffic that it didn't create.
> >
> > DF PROTO=TCP SPT=25 DPT=4284 WINDOW=0 RES=0x00 ACK RST URGP=0
> >
> > This is from my logs. This particular machine does not even have an SMTP
> > service/daemon running on it.
>
> The kernel sends an RST packet to inform the "client" that there
> is no such service. The client should get an "connection
> refused".
>
> > It is a web server and my iptables rules
> > do not allow incoming SMTP (DPT: 25) to this machine.
>
> Are you sure that no SMTP packet at all can reach your server?
> Then I would wonder why there are RST packets on wire...
>
Yup, here's the rule for that server:
$IPTABLES -A INPUT -i $IFACE_INET -p tcp --dport 25 -d $IP_INET_WEB1 -j
REJECT --reject-with tcp-reset
> oki,
>
> Steffen
>
> --
> Dieses Schreiben wurde maschinell erstellt,
> es trägt daher weder Unterschrift noch Siegel.
--
> * Ray Leach wrote on Mon, Nov 11, 2002 at 11:04 +0200:
> > Can anyone explain how it is possible that a machine can 'respond' to
> > SMTP traffic that it didn't create.
> >
> > DF PROTO=TCP SPT=25 DPT=4284 WINDOW=0 RES=0x00 ACK RST URGP=0
> >
> > This is from my logs. This particular machine does not even have an SMTP
> > service/daemon running on it.
>
> The kernel sends an RST packet to inform the "client" that there
> is no such service. The client should get an "connection
> refused".
>
> > It is a web server and my iptables rules
> > do not allow incoming SMTP (DPT: 25) to this machine.
>
> Are you sure that no SMTP packet at all can reach your server?
> Then I would wonder why there are RST packets on wire...
>
Yup, here's the rule for that server:
$IPTABLES -A INPUT -i $IFACE_INET -p tcp --dport 25 -d $IP_INET_WEB1 -j
REJECT --reject-with tcp-reset
> oki,
>
> Steffen
>
> --
> Dieses Schreiben wurde maschinell erstellt,
> es trägt daher weder Unterschrift noch Siegel.
--
| < Previous | Next > |