identd/AUTH for SMTP Mail connections
Hi I have a lot of mail servers trying to connect to my identd port (113) when sending mail to me. <Quote> The problem comes about because the firewall silently drops the SYN packet. The e-mail server is expecting an immediate SYN-ACK (identd supported) or RST (identd not supported), but when the firewall drops the packet it keeps trying until the connection times out. http://www.robertgraham.com/pubs/firewall-seen.html#slow-email <Quote> How do you reconfigure the firewall to RST all those connections the incomming smtp requests on the identd port (113) using "pchains". Thanks in advance Steven
Hi Steven,
Hi I have a lot of mail servers trying to connect to my identd port (113) when sending mail to me.
<Quote> The problem comes about because the firewall silently drops the SYN packet. The e-mail server is expecting an immediate SYN-ACK (identd supported) or RST (identd not supported), but when the firewall drops the packet it keeps trying until the connection times out. http://www.robertgraham.com/pubs/firewall-seen.html#slow-email <Quote>
How do you reconfigure the firewall to RST all those connections the incomming smtp requests on the identd port (113) using "pchains".
You can't. The RST bit is a result from the TCP stack answering the request. The firewall rules kick in before. You can add a REJECT rule before the others that matches these packets. In this case, destination unreachable type ICMP packets are sent back. These will have the same effect as the RST TCP packets.
Thanks in advance
Steven
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Steven Thompson wrote:
Hi I have a lot of mail servers trying to connect to my identd port (113) when sending mail to me.
<Quote> The problem comes about because the firewall silently drops the SYN packet. The e-mail server is expecting an immediate SYN-ACK (identd supported) or RST (identd not supported), but when the firewall drops the packet it keeps trying until the connection times out. http://www.robertgraham.com/pubs/firewall-seen.html#slow-email <Quote>
How do you reconfigure the firewall to RST all those connections the incomming smtp requests on the identd port (113) using "pchains".
Thanks in advance
Steven
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, Maybe you could try to reject the connection requests rather than denying them: ipchains -A input -i $EXTERNAL_INTERFACE -p TCP \ -s $ANYWHERE -d $MY_IPADDRS 113 -j REJECT ".. you need to reject the connection request to avoid waiting for the TCP connection timeout. This is the only case when an incoming packet is rejected rather than denied ...." Robert Ziegler, "Linux Firewalls", New Riders 2000. Cheers - Les Catterall
participants (3)
-
Les Catterall
-
Roman Drahtmueller
-
Steven Thompson