Network packet question.

Steven W. Orr steveo at syslang.net
Mon Feb 13 20:05:06 UTC 2006 

=>Steven W. Orr wrote:
=>
=>> I just recently started running dovecot. Now I'm seeing funny things
=>> bouncing off my firewall. Here's an example.
=>>
=>> Feb 13 10:20:16 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0 SRC=207.172.210.41
=>> DST=65.42.55.47 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=113
=>> DPT=60707 WINDOW=0 RES=0x00 ACK RST URGP=0
=>> Feb 13 10:20:19 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0 SRC=207.172.210.41
=>> DST=65.42.55.47 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=113
=>> DPT=60707 WINDOW=0 RES=0x00 ACK RST URGP=0
=>>
=>> I am only using dovecot for my internal network. I do not allow access to
=>> dovecot from the outside.
=>>
=>> My firewall allows outgoing auth packets. i.e., packets with destination
=>> ports set to 113(auth). Also, My firewall does not allow incoming packets
=>> with destination ports of 113(auth)
=>>
=>> It doesn't make any sense to me. I am the 207.172.210.41 and I seem to be
=>> the src and the src port is 113 which makes no sense at all. How is it
=>> possible for my server to be trying to connect to a remote machine with src
=>> port 113?
=>>
=>> Does this make sense?
=>>
=>Note that these are "TCP reset segments".  From the "IN= OUT=eth0",
=>I believe that these are outgoing packets that are being blocked.
=>If your machine is sending TCP reset segments as output, it would
=>seem to indicate that input packets are being accepted by the
=>TCP layer for a connection that doesn't exist.
=>
=>You believe that your input firewall should be blocking
=>TCP packets from 65.42.55.47 to port 113, but the output
=>firewall is logging reset packets. That would indicate
=>that the input firewall is not blocking these packets as
=>expected.
=>
=>I would suggest that you investigate that contradiction.

Hi John. I'm a little lite in terms of my knowledge of how iptables works.
I'm using something called FIAIF to construct the firewall. Here's the
relevant stuff as it pertains to port 113:

OUTPUT[1]="ACCEPT tcp \
 	auth,smtp,domain,nicname,finger,http,pgpkeyserver,cvspserver \
 	0.0.0.0/0=>0.0.0.0/0"

REPLY_AUTH="EXT tcp-reset tcp auth,domain 0.0.0.0/0=>0.0.0.0/0"

So the way I read this in English is:

Don't let any packets come in to port 113 (i.e., nothing in an INPUT
rule), let me get access to other people's auth servers (i.e., packets
originating from me to other people's auth servers) and if an auth packet
comes in to my system then send them back a tcp-reset.

Here's the output of my iptables -L -n | grep 113

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 113,53 reject-with tcp-reset
LOG_REJECT  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 25,53,43,79,80,11371,2401

Does this help? I'm confused.

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

More information about the fedora-list mailing list