I'm filtering OUTPUT traffic on my Debian via nftables+cgroups(net_cls)+cgrulesengd, and all apps, which want to connect to the network, I have to assign some cgroups class and add a rule in the FW. The gpg binary wants TCP/443 to speak with keyservers (optionally TCP/80). I thought that's all what gpg wants to connect to the network, but it looks like it wants also TCP/993 (IMAPS). This happens when I use Thunderbird as a mail clinet + Enigmail extension, which make some use of gpg. Basically when I start Thunderbird, only it wants to connect to the TCP/993 port, but when I clear the conntrack table via `conntrack -F`, then also gpg wants to connect to that port. This is not always the case though -- it only happens when the clearing of the conntrack table is issued some time after Thunderbird has been stared (an hour or so). So it looks like the keepalive packets can play some role here. When I `lsof -i :993`, I can see some entries pointing to Thunderbird. Also nftables reports some NEW-notSYN packets destined to my machine (which is understood because the conntrack mechanism doesn't know about the established connections now,and everything that comes from the mail servers is in this NEW-notSYN state). I can see some blocked OUTPUT packets as well, and when compared src/dst ports/ips I can tell that the packets were sent by Thunderbird (they match to the `lsof` output). Also `lsof` doesn't show anything that points to gpg. When I prevent gpg from connecting to this port, I can't access my mail account in Thunderbird -- it just tries to refresh the inbox, but it just stalls. When I restart Thunderbird at this point, then everything backs to normal, and I don't see any drops in OUTPUT traffic. Could anyone explain what's going on here?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users