[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IPFilter weirdness
From:       "David F. Newman" <dnewman () cmgi ! com>
Date:       2002-10-28 22:13:01
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello,
I have been seeing these entries in my IPFilter log on my SMTP relay.

28/10/2002 00:04:02.003897 hme0 @0:17 b 12.9.224.52,25 -> 63.208.138.168,32898 
PR tcp len 20 48 -A IN

So what is happening here is that my SMTP relay, 63.208.138.168, is
opening a connection to 12.9.224.52 on port 25 and the response
is being blocked.  I get about 3000 of these a day and they are only
from 1 or 2 hosts which leads me to believe that it isn't the state
table filling up.

I do have this rule for allowing outbound connections.

pass out quick on hme0 proto tcp from 63.208.138.168/32 to any keep state

The weird part is if I flush the filter rules and reload them connecting
to this host still fails but if I flush the rules, telnet to this host on port
25, and then reload the filter rules it seems to fix it and I can continue
to connect to this host.

There are only about 300-350 entries in the state table and the server 
runs Solaris 8 sparc.  Any thoughts?

- -Dave

 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)

iD8DBQE9vbZxu3B/p4jCw/IRAkjGAJ9f+dzqwl/Ab4DnY4YdDPC+2oxaLQCgiEXV
oLEMZzoYO+vSBtx64jfndZI=
=3wAJ
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]