Conflict between POP server and iptables firewall on Redhat 7.2

Conflict between POP server and iptables firewall on Redhat 7.2

Post by Pierre Hali » Thu, 14 Feb 2002 03:26:40



Dear all,

I recently installed a new mail server (Redhat 7.2) on a kernel 2.4.9-21
with sendmail-8.11.6-3 and imap-2000c-15. I activated POP server using the
following /etc/xinetd.d/ipop3 file :

service pop3
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/ipop3d
        log_on_success          += USERID
        log_on_failure          += USERID
        disable                 = no

Quote:}

This POP connection works from everywhere but I have a problem when I
connect from the private network through the firewall : the connection needs
more than 20 seconds before being active. The firewall is a Redhat 7.2 using
iptables 2.4.9-21 on a kernel 2.4.9-21. The iptables rules are strong in the
sense depicted in the related Faqs. For one connection, the log on the
firewall shows the following (212.190.94.131 is the mail server,
212.190.94.139 is the firewall) :

Feb  5 07:01:06 Fire2 kernel: IN=eth0 OUT=
MAC=00:50:da:36:46:36:00:01:02:fa:b4:97:08:00 SRC=212.190.94.131
DST=212.190.94.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=266 DF PROTO=TCP
SPT=2283 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0

Feb  5 07:01:07 Fire2 kernel: IN=eth0 OUT=
MAC=00:50:da:36:46:36:00:01:02:fa:b4:97:08:00 SRC=212.190.94.131
DST=212.190.94.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54986 DF PROTO=TCP
SPT=2284 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0

Feb  5 07:01:12 Fire2 kernel: IN=eth0 OUT=
MAC=00:50:da:36:46:36:00:01:02:fa:b4:97:08:00 SRC=212.190.94.131
DST=212.190.94.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=267 DF PROTO=TCP
SPT=2283 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0

Feb  5 07:01:13 Fire2 kernel: IN=eth0 OUT=
MAC=00:50:da:36:46:36:00:01:02:fa:b4:97:08:00 SRC=212.190.94.131
DST=212.190.94.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6128 DF PROTO=TCP
SPT=2285 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0

I have no idea in order to solve this. Of course, I prefer to modify the POP
server and to avoid a decreasing on the firewall security. But this problem
is really important for me. Some applications have many problems because the
default timeout is 30 seconds and it's not enough when the firewall is
charged. Moreover, it's not easy to explain that my Linux firewall on a T3
line blocks when stupid Outlook with dial-up connexion works !

Many thanks for your help !

--
Pierre Halin
ICT Manager
NCI Business Center
Av Louise 149/24
1050 Brussels

tel: +32 2 535 75 11
fax: + 32 2 535 76 75
website: www.nci.be

 
 
 

Conflict between POP server and iptables firewall on Redhat 7.2

Post by Ashok Aiya » Thu, 14 Feb 2002 05:35:42


On Tue, 12 Feb 2002 19:26:40 +0100,

First off, this was an inappropriate question of comp.mail.sendmail

Quote:> service pop3
> {
>         socket_type             = stream
>         wait                    = no
>         user                    = root
>         server                  = /usr/sbin/ipop3d
>         log_on_success          += USERID
>         log_on_failure          += USERID

The '+= USERID" implies you want to do an IDENT lookup whether
or not the connection succeeds.  It is higly unlikely that the pop3
client machines (PCs/Macs) will be running an identd -- so this is
not a very sane option to turn on in xinetd for the pop3 service.

Quote:> Feb  5 07:01:06 Fire2 kernel: IN=eth0 OUT=
> MAC=00:50:da:36:46:36:00:01:02:fa:b4:97:08:00 SRC=212.190.94.131
> DST=212.190.94.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=266 DF PROTO=TCP
> SPT=2283 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0

Your firewall doesn't allow you to do external ident queries.  So
either modify the firewall to permit them, or better yet turn IDENT
querying off in xinetd.conf

Ashok
--
Ashok Aiyar
RLU #51601

 
 
 

1. problem with ftp client behind redhat 7.2 iptables firewall

I have Redhat 7.2 firewall running Iptables.  It loaded up ip_nat_ftp OK.
But when I log in to my company ftp [IIS 5] (and some others), I can log in
ok .  I can do commands like pwd, help, cd, etc.  But I can't do "ls" and
"dir", it will just freeze.  I have tried on the firewall itself, same
result.  Using IE on Windows client, it will just "searching for folders"
and then replied with "you don't have permission ....".  Using ftp on the RH
firewall, it will just freeze for a minute and not showing file list.  It
seems like only "ls" and "dir" don't work.

2. Linking /etc/logingroup to /etc/group

3. trouble setting up pop server redhat linux 7.2

4. Problem widh an Ultra 10 ?

5. Cannot open pop and imap service under Redhat 7.2

6. LinuxPPC2000 with ixMicro Ultimate Rez 8MB video card?

7. redhat 7.2 iptables logging not working

8. ftp via Shell Script

9. I'm confused with ipchains/iptables on Redhat 7.2

10. iptables ULOG and RedHat 7.2

11. Please Help!!! Redhat 7.2 with IPTABLES 1.2.6a

12. How can I active and use IPCHAINS replace of IPTABLES in redhat 7.2 ?

13. IPTABLES and RedHat 7.2: can't compile kernel