Steven W. Orr wrote:
I just recently started running dovecot. Now I'm seeing funny things
bouncing off my firewall. Here's an example.
Feb 13 10:20:16 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0
SRC=207.172.210.41 DST=65.42.55.47 LEN=40 TOS=0x00 PREC=0x00 TTL=255
ID=0 DF PROTO=TCP SPT=113 DPT=60707 WINDOW=0 RES=0x00 ACK RST URGP=0
Feb 13 10:20:19 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0
SRC=207.172.210.41 DST=65.42.55.47 LEN=40 TOS=0x00 PREC=0x00 TTL=255
ID=0 DF PROTO=TCP SPT=113 DPT=60707 WINDOW=0 RES=0x00 ACK RST URGP=0
I am only using dovecot for my internal network. I do not allow access
to dovecot from the outside.
My firewall allows outgoing auth packets. i.e., packets with
destination ports set to 113(auth). Also, My firewall does not allow
incoming packets with destination ports of 113(auth)
It doesn't make any sense to me. I am the 207.172.210.41 and I seem to
be the src and the src port is 113 which makes no sense at all. How is
it possible for my server to be trying to connect to a remote machine
with src port 113?
Does this make sense?
Note that these are "TCP reset segments". From the "IN= OUT=eth0",
I believe that these are outgoing packets that are being blocked.
If your machine is sending TCP reset segments as output, it would
seem to indicate that input packets are being accepted by the
TCP layer for a connection that doesn't exist.
You believe that your input firewall should be blocking
TCP packets from 65.42.55.47 to port 113, but the output
firewall is logging reset packets. That would indicate
that the input firewall is not blocking these packets as
expected.
I would suggest that you investigate that contradiction.
