‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On August 1, 2018 11:35 AM, daniel_1983--- via Shorewall-users <shorewall-users@lists.sourceforge.net> wrote:
> shorewall dump after doing a shorewall reset then trying to send mail to host > 192.162.70.68 : https://clbin.com/yO9h3. You can see that the connexion isn't > even listed. [...] > When I do a tcpdump while sending the mail, I can see that my firewall can't > seem to establish a TCP connexion. It keeps sending the same TCP sequence > number, which the pair acks, but my server doesn't ack back, see a tcpdump > session here b/w my mail server and yahoo mail : > https://gist.githubusercontent.com/ychaouche/4d25e7bccaad51ee81fa16dd026d059d/raw/e77de674057c743dcbe79b0c8137031871846dec/gistfile1.txt Looking at the old paste, I would like to highlight this small excrept from the shorewall dump 1 Chain reject (179 references) 2 pkts bytes target prot opt in out source destination 3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 4 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 5 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 6 3 152 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 7 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 8 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 9 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Could it be line 6 that is responsible for not letting my mail server TCP SYNC with yahoo mail like shown in the tcpdump posted above ? excrept below : root@messagerie[10.10.10.19] ~ # tcpdump host 188.125.73.87 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:35:22.311782 IP messagerie.algerian-radio.dz.43780 > mta-v41.mail.vip.ir2.yahoo.com.smtp: Flags [S], seq 3621672446, win 29200, options [mss 1460,sackOK,TS val 125459125 ecr 0,nop,wscale 7], length 0 10:35:22.405985 IP mta-v41.mail.vip.ir2.yahoo.com.smtp > messagerie.algerian-radio.dz.43780: Flags [S.], seq 4086009453, ack 3621672447, win 14480, options [mss 1380,sackOK,TS val 110157958 ecr 125459125,nop,wscale 7], length 0 10:35:23.311089 IP messagerie.algerian-radio.dz.43780 > mta-v41.mail.vip.ir2.yahoo.com.smtp: Flags [S], seq 3621672446, win 29200, options [mss 1460,sackOK,TS val 125459375 ecr 0,nop,wscale 7], length 0 10:35:23.405263 IP mta-v41.mail.vip.ir2.yahoo.com.smtp > messagerie.algerian-radio.dz.43780: Flags [S.], seq 4086009453, ack 3621672447, win 14480, options [mss 1380,sackOK,TS val 110158958 ecr 125459125,nop,wscale 7], length 0 10:35:23.469049 IP mta-v41.mail.vip.ir2.yahoo.com.smtp > messagerie.algerian-radio.dz.43780: Flags [S.], seq 4086009453, ack 3621672447, win 14480, options [mss 1380,sackOK,TS val 110159022 ecr 125459125,nop,wscale 7], length 0 10:35:25.315065 IP messagerie.algerian-radio.dz.43780 > mta-v41.mail.vip.ir2.yahoo.com.smtp: Flags [S], seq 3621672446, win 29200, options [mss 1460,sackOK,TS val 125459876 ecr 0,nop,wscale 7], length 0 10:35:25.409503 IP mta-v41.mail.vip.ir2.yahoo.com.smtp > messagerie.algerian-radio.dz.43780: Flags [S.], seq 4086009453, ack 3621672447, win 14480, options [mss 1380,sackOK,TS val 110160962 ecr 125459125,nop,wscale 7], length 0 seq number is always the same on my side and I never ACK my peer's seq number. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
