On Thursday 06 December 2001 10:59 am, Wes Bateman wrote:

> You mention your qmail server, is that the box that was "attempting
> to connect" to port 6000 on an outside host?

Yes, it is my box that is initiating the connections.

> If the box that is sending traffic from port 25 to port 6000 is a
> mail server, then you should verify whether these packets are SYNs
> or, more likely, SYN/ACK or PSH/ACK type packets.

They are all SYN/ACK packets.  Oops.

> In other words, is this really the initiation of a connection, or is
> it just your mailserver replying to a connection initiated by an
> outside host (which randomly selected port 6000, so this would not
> happen often statistically, but it WILL happen) to port 25 on your
> box?

I thought that this firewall rule would take care of things:

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

But according to the manual, "ESTABLISHED meaning that the packet is
associated with a connection which has seen packets in both
directions", so I guess that wouldn't account for attempting to finish
a hand shake from something delivering mail.  I've added the "--syn"
option to the TCP rules for catching outgoing X connections; that
should take care of things (I hope).

Thanks muchly for the advice.

-- 
Matthew Cline        | Suppose you were an idiot.  And suppose that
[EMAIL PROTECTED] | you were a member of Congress.  But I repeat
                     | myself.  -- Mark Twain

Reply via email to