[nflug] IPTABLES TCP unclean

David J. Andruczyk djandruczyk at yahoo.com
Thu Feb 16 13:20:14 EST 2006 

Does this guy have a firewall?  is it mangling packets?  (i.e. NAT) is
it current/up to date?

>From the man page desc of that module you can probably remove it as it
is classified as "experimental".



--- Justin Bennett <Justin.Bennett at Dynabrade.com> wrote:

> I've been working with this guy for a couple of days. His mail server
> 
> can't connect to mine, and he can't telnet to any port I gave him,
> from 
> his PC, (I'm assuming behind the same firewall as his mail server)
> ports 
> 53,25 with the unclean enabled. I tried several port just to make
> sure 
> it wasn't a rule just with port 25.
> 
> I have 3 machines throughout the world running with the same unclean 
> option. He can't connect to any port on any of them either. Until I
> turn 
> the unclean option off. Then no problem. I assume his gateway is
> doing 
> something the unclean module doesn't like.
> 
> I'm just not sure everything the unclean option looks for, I know it 
> does some header checking for invalid flags and such. I don't know if
> 
> it's a problem if I allow unclean from his IP, or just disable it all
> 
> together. I'm concerned about security, not neccesarily about
> traffic, 
> or load on the TCP stacks processing 'unclean' packets.
> 
> Justin
> 
> Justin Bennett
> Network Administrator
> Dynabrade, Inc.
> 8989 Sheridan Dr.
> Clarence, NY 14031
>  
> 
> 
> 
> On 2/16/2006 12:56 PM, Darin Perusich wrote:
> 
> > how can they not connect to your smtp server, is it their smpt
> server 
> > that can't connect? have they tried 'telnet 12.45.31.35 smtp' when
> you 
> > have the unclean enabled?
> >
> > Justin Bennett wrote:
> >
> >> I'm running a iptables firewall, I've got a rule that blocks TCP 
> >> Unclean packets.
> >>
> >> iptables -A INPUT -m unclean -j DROP
> >> iptables -A FORWARD -m unclean -j DROP
> >>
> >> There is a customer who can't connect to our mail server, I've
> ruled 
> >> everything else out. When I comment out these two rules, he can 
> >> connect. There's something funky I beleive with the way he is
> forming 
> >> packets. Does anyone know what this blocks? would it be a security
> 
> >> issue if I allow tcp unclean from his ip address?
> >>
> >> Justin
> >>
> >
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
> 


Dave J. Andruczyk

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list