Why would my mail server try to do this/ipchains question

Why would my mail server try to do this/ipchains question

Post by Eric Bamba » Thu, 28 Dec 2000 00:01:00



I use fetchmail for retriving mail and sending it to an internal server. I am
behind an ipchains firewall  ihave built and i notice in my logs that an ip
souce port 110 (presumably mail) like to try to connect to port 1024, this
doesnt appear to affect my mail or happen simultaniously when fetchamil is
running, it just seems to happen every once in a while.

Dec 25 21:32:17 router kernel: Packet log: input DENY ppp0 PROTO=6
206.141.239.142:110 64.108.223.26:1024 L=44 S=0x00 I=11217 F=0x4000 T=253 (#4)

any clues....im just curious what all the experts think.
p.s. what does the L S I and F mean in that line...i know T means TTL and what
are the protocol #'s? is 6 tcp or udp? and what is that #4? does that mean it
matched rule #4 on the input chain right? even if you cant explain why it
would happen, an answer to this cryptic log would be greatly appreciated.
thanks

 
 
 

Why would my mail server try to do this/ipchains question

Post by Tim Hayne » Thu, 28 Dec 2000 01:30:08



> I use fetchmail for retriving mail and sending it to an internal server.
> I am behind an ipchains firewall ihave built and i notice in my logs that
> an ip souce port 110 (presumably mail) like to try to connect to port
> 1024, this doesnt appear to affect my mail or happen simultaniously when
> fetchamil is running, it just seems to happen every once in a while.

> Dec 25 21:32:17 router kernel: Packet log: input DENY ppp0 PROTO=6
> 206.141.239.142:110 64.108.223.26:1024 L=44 S=0x00 I=11217 F=0x4000 T=253
> (#4)

That is not a connection, it's a continuation (lack of SYN flag, which
you'd know about if it said it).

I suspect your firewall rules are not allowing tcp continuations from low
server ports, and/or is broken regarding port 1024 (the first unprivileged
port - include it in your things-to-accept-as-source-ports range).

Quote:> p.s. what does the L S I and F mean in that line...i know T means TTL and
> what are the protocol #'s? is 6 tcp or udp?

more /etc/protocols.

Quote:> and what is that #4?

The number of the rule that matched to give this log.

Quote:> cryptic

What's cryptic? ;)

~Tim
--
    4:27pm  up 1 day, 18:43,  8 users,  load average: 0.14, 0.05, 0.02

http://piglet.is.dreaming.org |(seen during a recent, >y2000, installation)