[nflug] IPTABLES TCP unclean

Justin Bennett Justin.Bennett at Dynabrade.com
Thu Feb 16 13:26:56 EST 2006


No. as I replied to Dave communication isn't the greatest. It takes me a 
while to get a reply. I can ask him, but I'm not sure if it's a big 
deal. Since it is an experimental option, I think I'm just going to 
disable it.

It's a 2.4 kernel, from what I see online I don't think it was included 
in 2.6.   I don't have anything running 2.6 so I haven't tried. Maybe 
the experiment failed and they didn't include it.

Justin


Justin Bennett
Network Administrator
Dynabrade, Inc.
8989 Sheridan Dr.
Clarence, NY 14031
 



On 2/16/2006 1:21 PM, Darin Perusich wrote:

> do you know what kind of firewall he has?
>
> Justin Bennett wrote:
>
>> I've been working with this guy for a couple of days. His mail server 
>> can't connect to mine, and he can't telnet to any port I gave him, 
>> from his PC, (I'm assuming behind the same firewall as his mail 
>> server) ports 53,25 with the unclean enabled. I tried several port 
>> just to make sure it wasn't a rule just with port 25.
>>
>> I have 3 machines throughout the world running with the same unclean 
>> option. He can't connect to any port on any of them either. Until I 
>> turn the unclean option off. Then no problem. I assume his gateway is 
>> doing something the unclean module doesn't like.
>>
>> I'm just not sure everything the unclean option looks for, I know it 
>> does some header checking for invalid flags and such. I don't know if 
>> it's a problem if I allow unclean from his IP, or just disable it all 
>> together. I'm concerned about security, not neccesarily about 
>> traffic, or load on the TCP stacks processing 'unclean' packets.
>>
>> Justin
>>
>> Justin Bennett
>> Network Administrator
>> Dynabrade, Inc.
>> 8989 Sheridan Dr.
>> Clarence, NY 14031
>>
>>
>>
>>
>> On 2/16/2006 12:56 PM, Darin Perusich wrote:
>>
>>> how can they not connect to your smtp server, is it their smpt 
>>> server that can't connect? have they tried 'telnet 12.45.31.35 smtp' 
>>> when you have the unclean enabled?
>>>
>>> Justin Bennett wrote:
>>>
>>>> I'm running a iptables firewall, I've got a rule that blocks TCP 
>>>> Unclean packets.
>>>>
>>>> iptables -A INPUT -m unclean -j DROP
>>>> iptables -A FORWARD -m unclean -j DROP
>>>>
>>>> There is a customer who can't connect to our mail server, I've 
>>>> ruled everything else out. When I comment out these two rules, he 
>>>> can connect. There's something funky I beleive with the way he is 
>>>> forming packets. Does anyone know what this blocks? would it be a 
>>>> security issue if I allow tcp unclean from his ip address?
>>>>
>>>> Justin
>>>>
>>>
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>
>
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug



More information about the nflug mailing list