[nflug] IPTABLES TCP unclean

[Justin Bennett]

I've been working with this guy for a couple of days. His mail server 
can't connect to mine, and he can't telnet to any port I gave him, from 
his PC, (I'm assuming behind the same firewall as his mail server) ports 
53,25 with the unclean enabled. I tried several port just to make sure 
it wasn't a rule just with port 25.

I have 3 machines throughout the world running with the same unclean 
option. He can't connect to any port on any of them either. Until I turn 
the unclean option off. Then no problem. I assume his gateway is doing 
something the unclean module doesn't like.

I'm just not sure everything the unclean option looks for, I know it 
does some header checking for invalid flags and such. I don't know if 
it's a problem if I allow unclean from his IP, or just disable it all 
together. I'm concerned about security, not neccesarily about traffic, 
or load on the TCP stacks processing 'unclean' packets.

Justin

Justin Bennett
Network Administrator
Dynabrade, Inc.
8989 Sheridan Dr.
Clarence, NY 14031
 



On 2/16/2006 12:56 PM, Darin Perusich wrote:

> how can they not connect to your smtp server, is it their smpt server 
> that can't connect? have they tried 'telnet 12.45.31.35 smtp' when you 
> have the unclean enabled?
>
> Justin Bennett wrote:
>
>> I'm running a iptables firewall, I've got a rule that blocks TCP 
>> Unclean packets.
>>
>> iptables -A INPUT -m unclean -j DROP
>> iptables -A FORWARD -m unclean -j DROP
>>
>> There is a customer who can't connect to our mail server, I've ruled 
>> everything else out. When I comment out these two rules, he can 
>> connect. There's something funky I beleive with the way he is forming 
>> packets. Does anyone know what this blocks? would it be a security 
>> issue if I allow tcp unclean from his ip address?
>>
>> Justin
>>
>
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug