On Tue, 11 Sep 2007 09:52:12 -0700 David Brodbeck <[EMAIL PROTECTED]> wrote:
> > On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote: > > > As long as I use iptables I was not able to use policies of reject. I > > even remember the target 'REJECT' being a selectable kernel option. > > Reject requires some ICMP action whereas DROP doesn't. > > But be aware that DROP can cause unexpected side-effects in some > cases, because it's not what remote hosts expect. > > I recall one instance where a mail server I'd configured couldn't > send mail to one particular system. Both systems could freely > exchange mail with other places. > > The problem turned out to be that I was dropping packets sent to the > ident port. When my system tried to initiate an SMTP exchange, the > other system would try to do an ident callback against it. Since I > was dropping packets instead of rejecting them, the whole transaction > would come to a halt while the other system waited for the ident > connection to time out. By the time that happened, the SMTP daemon > on the other system had timed out, as well, so no mail ever got > delivered. > > Once I started rejecting packets to ident instead, things worked, > since the ident callback would fail immediately. (Actually, since I > didn't have the REJECT target, I just opened the ident port and then > made sure identd wasn't running.) This is indeed a notorious issue. From the shorewall FAQ: > (FAQ 4) I just used an online port scanner to check my firewall and it shows > some ports as “closed” rather than “blocked”. Why? > > Answer: The default Shorewall setup invokes the Drop action prior to > enforcing a DROP policy and the default policy to all zone from the internet > is DROP. The Drop action is defined in /usr/share/shorewall/action.Drop which > in turn invokes the Auth macro (defined in /usr/share/shorewall/macro.Auth) > specifying the REJECT action (i.e., Auth/REJECT). This is necessary to > prevent outgoing connection problems to services that use the “Auth” > mechanism for identifying requesting users. That is the only service which > the default setup rejects. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
