Steve Manes <[EMAIL PROTECTED]> writes on 10 December 2000 at 10:31:24 -0500
> At 01:31 AM 12/10/00 -0700, Sean Reifschneider wrote:
> >On Sun, Dec 10, 2000 at 02:51:24AM -0500, Steve Manes wrote:
> > >Dec 10 01:02:49 meg kernel: Packet log: output REJECT eth0 PROTO=6
> > 166.84.147.
> > >124:3687 206.26.89.202:25 L=1064 S=0x00 I=46413 F=0x0000 T=64 (#37)
> > >Dec 10 01:02:55 meg kernel: Packet log: output REJECT eth0 PROTO=6
> > 166.84.147.
> > >124:4396 204.242.84.1:25 L=60 S=0x00 I=46421 F=0x0000 T=64 SYN (#37)
> > >
> > >Any idea what's causing this?
> >
> >ipchains is blocking incoming connections to port 25/tcp. You know, the
> >e-mail port.
>
> I know what port 25 is and, no, it's not blocking incoming connections. It
> seems to be blocking outgoing connections. But if you look at the script
> you'll see that port 25 is open both ways:
>
> # SMTP server (25)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 25 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 25 \
> --destination-port $UNPRIVPORTS -j ACCEPT
The ! -y means it's not open to *initiating* any outbound
connections, doesn't it? I'm not an ipchains expert, but I run it
with some simple rules, and I double-checked the docs just now.
Also, this particular pair of rules doesn't allow a connection from
port 25 here to port 25 elsewhere, or vice versa. Does qmail do that,
or are the outbound connects always from non-priv ports? And do
*other* people do that, or are the inbound connects always from
non-priv ports?
--
David Dyer-Bennet / Welcome to the future! / [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/ Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/
