Network packet question.

[John DeDourek]

Steven W. Orr wrote:

> I just recently started running dovecot. Now I'm seeing funny things 
> bouncing off my firewall. Here's an example.
>
> Feb 13 10:20:16 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0 
> SRC=207.172.210.41 DST=65.42.55.47 LEN=40 TOS=0x00 PREC=0x00 TTL=255 
> ID=0 DF PROTO=TCP SPT=113 DPT=60707 WINDOW=0 RES=0x00 ACK RST URGP=0
> Feb 13 10:20:19 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0 
> SRC=207.172.210.41 DST=65.42.55.47 LEN=40 TOS=0x00 PREC=0x00 TTL=255 
> ID=0 DF PROTO=TCP SPT=113 DPT=60707 WINDOW=0 RES=0x00 ACK RST URGP=0
>
> I am only using dovecot for my internal network. I do not allow access 
> to dovecot from the outside.
>
> My firewall allows outgoing auth packets. i.e., packets with 
> destination ports set to 113(auth). Also, My firewall does not allow 
> incoming packets with destination ports of 113(auth)
>
> It doesn't make any sense to me. I am the 207.172.210.41 and I seem to 
> be the src and the src port is 113 which makes no sense at all. How is 
> it possible for my server to be trying to connect to a remote machine 
> with src port 113?
>
> Does this make sense?
>
Note that these are "TCP reset segments".  From the "IN= OUT=eth0",
I believe that these are outgoing packets that are being blocked.
If your machine is sending TCP reset segments as output, it would
seem to indicate that input packets are being accepted by the
TCP layer for a connection that doesn't exist.

You believe that your input firewall should be blocking
TCP packets from 65.42.55.47 to port 113, but the output
firewall is logging reset packets. That would indicate
that the input firewall is not blocking these packets as
expected.

I would suggest that you investigate that contradiction.