On 04/17/2011 03:53 PM, JD wrote:
Well, it is a bit strange that Google would set up their servers so that my machine tries to download latest messages by sending it's request to pop.gmail.com (74.125.127.109) to port 995, and receive reply from a different IP address. How can I configure my firewall so that such replies are not deemed as "not established"?
I'm download my email too from pop.gmail.com via pop3s using fetchmail and in the past, the following showed in the logs:
Apr 17 16:18:42 localhost kernel: [534364.934281] INPUT packets denied: IN=eth0 OUT= MAC= SRC=74.125.127.109 DST=192.168.1.10 LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=18161 PROTO=TCP SPT=995 DPT=48159 WINDOW=0 RES=0x00 RST URGP=0
and the above packet always netfilter (iptables) classify it as a INVALID packet so you catch it with:
-N inval-IN -A inval-IN -m tcp -p tcp --sport 995 -j DROP -A INPUT -m state --state INVALID -j inval-IN
or test and simply do:
-A INPUT -m state --state INVALID -j DROP
I only know a little about tcpdump but according to "tcpdump -i eth0 -n port 995" the packet logged is the last one in the session:
also in my limited testing today, the logged packet came from the same pop server machine not a third party one
and because the packet is logged not matter you use thunderbird or I use fetcmail maybe is a (harmless) bug in google pop server
Gabriel