Sam Varshavchik wrote:
> Alessandro Vesely writes:
>> Since the IP address is dynamic, AFAIK the rule has to use "-m recent"
>
> No, you don't need to bother keeping lists. For example, when portsentry
> blocks a portscanner:
>
> /sbin/iptables -I INPUT -s 61.128.162.90 -j DROP
>
> In your case, you'd use:
>
> /sbin/iptables -I OUTPUT -d aaa.bbb.ccc.ddd -j REJECT
>
> Then, after the timeout expires
>
> /sbin/iptables -D OUTPUT -d aaa.bbb.ccc.ddd -j REJECT
I see, simple and direct. However, the correct command is rather
/sbin/iptables -I OUTPUT -p tcp -d aaa.bbb.ccc.ddd -j REJECT --reject-with
tcp-reset
Without that trailing option, it resulted in an icmp unreliable
default behavior. I straced courieresmtp right after issuing the
latter command (which was after sending an helo from the client):
select(1, [0], NULL, NULL, {543, 224000}) = 1 (in [0], left {433, 408000})
read(0, "mail from:<[email protected]>\r\n"..., 5120) = 28 <--- this was never
acknowledged --
write(5, "[email protected]\t\n"..., 16) = 16
read(6, "250 Ok.\n"..., 4096) = 8
fstat(1, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa57c03a000
write(1, "250 Ok.\r\n"..., 9) = 9
select(1, [0], NULL, NULL, {600, 0}) = 1 (in [0], left {600, 0})
read(0, 0x50cae0, 5120) = -1 ECONNRESET (Connection reset by
peer)
exit_group(0) = ?
No comments on mail.log.
I'll see if it's easy to grab parts from portsentry's code for
handling these cases.
Thanks.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
