[nflug] IPTABLES TCP unclean

Darin Perusich Darin.Perusich at cognigencorp.com
Thu Feb 16 13:21:12 EST 2006 

do you know what kind of firewall he has?

Justin Bennett wrote:
> I've been working with this guy for a couple of days. His mail server 
> can't connect to mine, and he can't telnet to any port I gave him, from 
> his PC, (I'm assuming behind the same firewall as his mail server) ports 
> 53,25 with the unclean enabled. I tried several port just to make sure 
> it wasn't a rule just with port 25.
> 
> I have 3 machines throughout the world running with the same unclean 
> option. He can't connect to any port on any of them either. Until I turn 
> the unclean option off. Then no problem. I assume his gateway is doing 
> something the unclean module doesn't like.
> 
> I'm just not sure everything the unclean option looks for, I know it 
> does some header checking for invalid flags and such. I don't know if 
> it's a problem if I allow unclean from his IP, or just disable it all 
> together. I'm concerned about security, not neccesarily about traffic, 
> or load on the TCP stacks processing 'unclean' packets.
> 
> Justin
> 
> Justin Bennett
> Network Administrator
> Dynabrade, Inc.
> 8989 Sheridan Dr.
> Clarence, NY 14031
> 
> 
> 
> 
> On 2/16/2006 12:56 PM, Darin Perusich wrote:
> 
>> how can they not connect to your smtp server, is it their smpt server 
>> that can't connect? have they tried 'telnet 12.45.31.35 smtp' when you 
>> have the unclean enabled?
>>
>> Justin Bennett wrote:
>>
>>> I'm running a iptables firewall, I've got a rule that blocks TCP 
>>> Unclean packets.
>>>
>>> iptables -A INPUT -m unclean -j DROP
>>> iptables -A FORWARD -m unclean -j DROP
>>>
>>> There is a customer who can't connect to our mail server, I've ruled 
>>> everything else out. When I comment out these two rules, he can 
>>> connect. There's something funky I beleive with the way he is forming 
>>> packets. Does anyone know what this blocks? would it be a security 
>>> issue if I allow tcp unclean from his ip address?
>>>
>>> Justin
>>>
>>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corp.
darinper at cognigencorp.com
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list