[nflug] IPTABLES TCP unclean

Justin Bennett Justin.Bennett at Dynabrade.com
Thu Feb 16 13:22:13 EST 2006 

I assume he's doing some kind of nat.
He's a customer from a land far away that was once behind an "iron 
curtain" so communication isn't the best. I assume my experimental 
module doesn't like something his firewall is doing. I think I'm just 
gonna pull it.

Justin

Justin Bennett
Network Administrator
Dynabrade, Inc.
8989 Sheridan Dr.
Clarence, NY 14031
 



On 2/16/2006 1:20 PM, David J. Andruczyk wrote:

>Does this guy have a firewall?  is it mangling packets?  (i.e. NAT) is
>it current/up to date?
>
>From the man page desc of that module you can probably remove it as it
>is classified as "experimental".
>
>
>
>--- Justin Bennett <Justin.Bennett at Dynabrade.com> wrote:
>
>  
>
>>I've been working with this guy for a couple of days. His mail server
>>
>>can't connect to mine, and he can't telnet to any port I gave him,
>>from 
>>his PC, (I'm assuming behind the same firewall as his mail server)
>>ports 
>>53,25 with the unclean enabled. I tried several port just to make
>>sure 
>>it wasn't a rule just with port 25.
>>
>>I have 3 machines throughout the world running with the same unclean 
>>option. He can't connect to any port on any of them either. Until I
>>turn 
>>the unclean option off. Then no problem. I assume his gateway is
>>doing 
>>something the unclean module doesn't like.
>>
>>I'm just not sure everything the unclean option looks for, I know it 
>>does some header checking for invalid flags and such. I don't know if
>>
>>it's a problem if I allow unclean from his IP, or just disable it all
>>
>>together. I'm concerned about security, not neccesarily about
>>traffic, 
>>or load on the TCP stacks processing 'unclean' packets.
>>
>>Justin
>>
>>Justin Bennett
>>Network Administrator
>>Dynabrade, Inc.
>>8989 Sheridan Dr.
>>Clarence, NY 14031
>> 
>>
>>
>>
>>On 2/16/2006 12:56 PM, Darin Perusich wrote:
>>
>>    
>>
>>>how can they not connect to your smtp server, is it their smpt
>>>      
>>>
>>server 
>>    
>>
>>>that can't connect? have they tried 'telnet 12.45.31.35 smtp' when
>>>      
>>>
>>you 
>>    
>>
>>>have the unclean enabled?
>>>
>>>Justin Bennett wrote:
>>>
>>>      
>>>
>>>>I'm running a iptables firewall, I've got a rule that blocks TCP 
>>>>Unclean packets.
>>>>
>>>>iptables -A INPUT -m unclean -j DROP
>>>>iptables -A FORWARD -m unclean -j DROP
>>>>
>>>>There is a customer who can't connect to our mail server, I've
>>>>        
>>>>
>>ruled 
>>    
>>
>>>>everything else out. When I comment out these two rules, he can 
>>>>connect. There's something funky I beleive with the way he is
>>>>        
>>>>
>>forming 
>>    
>>
>>>>packets. Does anyone know what this blocks? would it be a security
>>>>        
>>>>
>>>>issue if I allow tcp unclean from his ip address?
>>>>
>>>>Justin
>>>>
>>>>        
>>>>
>>_______________________________________________
>>nflug mailing list
>>nflug at nflug.org
>>http://www.nflug.org/mailman/listinfo/nflug
>>
>>    
>>
>
>
>Dave J. Andruczyk
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>_______________________________________________
>nflug mailing list
>nflug at nflug.org
>http://www.nflug.org/mailman/listinfo/nflug
>  
>
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list