Firewall logs

Matts on 2002-06-12T09:33:36

Does anyone else get things like this in their linux firewall logs:

Jun 11 23:19:06 gShield (default drop)  TCP mc8-m8.law13.hotmail.com:25 ->
54544(54544)
Jun 11 23:59:27 gShield (default drop)  TCP mpsb-nat30.plala.or.jp:25 -> 54606(54606)

Looks like when I send email, the SMTP server is somehow trying to connect back to me on the same port I'm connecting out on (the high port).

I haven't been able to find out anything about this on Google.

Dumb Firewall

krellis on 2002-06-12T16:57:02

That's generally caused by a dumb firewall. Those logs don't show what TCP flags are set, but I'd bet they're not SYN (unless they're SYN+ACK, that is). I've seen this before in e-mails from users saying our DNS servers are attacking them, when it's really just the response packets to DNS requests they're sending out. This could be the same kind of thing - your firewall isn't keeping track of your TCP sessions properly, so it doesn't realize these packets are part of a session you're starting intentionally. Of course, it must realize it at some point, or the sessions wouldn't work, so I could be way off.

Re:Dumb Firewall

Matts on 2002-06-12T18:11:38
I'm using gShield with most of the default settings, though I have tweaked it a bit.

Someone on IRC said it was a timing out connection trying to hold the connection open to me, when I'd already dropped the connection... Here's an actual full log entry in case it helps anyone:
Jun 12 19:10:10 ted kernel: gShield (default drop) IN=eth0 OUT= MAC=00:00:c0:92:ac:f9:00:20:6f:07:b5:6d:08:00 SRC=64.157.4.88 DST=217.158.50.178 LEN=53 TOS=0x00 PREC=0x00 TTL=51 ID=3178 DF PROTO=TCP SPT=25 DPT=60271 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0

Re:Dumb Firewall

krellis on 2002-06-12T19:49:54
Based on the ACK PSH FIN flags on that, I'm guessing that's the final packet of an SMTP transaction. I'm not familiar with gShield at all, and I'm no expert (though I've done plenty of TCP stream/firewall debugging of my own), but that's my diagnosis :)