iptables questions

[JD]

On 04/17/2011 01:25 PM, James McKenzie wrote:
> On 4/17/11 1:10 PM, JD wrote:
>> On 04/17/2011 12:34 PM, James McKenzie wrote:
>>> On 4/17/11 12:02 PM, JD wrote:
>>>> I have instrumented my iptables to log all DROP'ed packets.
>>>> I have a huge plethora of packets dropped from these
>>>> 3 IP addresses:
>>>> 74.125.127.109
>>>> 72.14.213.109
>>>> 74.125.53.109
>>> Google Mail on the Secure IMAP port?  Interesting.  Maybe they are
>>> misrouted packets or do you use Google Mail (gmail)?
>>>
>>> James McKenzie
>>>
>> My Thunderbird is configured to connect with pop.gmail.com
>> to retrieve my email.
>>
>> The Registrant of the primary domain is google,
>> and the Registrar is MarkMonitor.Com.
> [Whois and marketing stuff removed]
>
> Thus your system is NOT being hacked as stated by others.  If you are
> using Thunderbird, you had to configure it to connect on port 995, which
> I will correct, is the secure POP port.  Nothing is amiss here, just is
> that you sent your request to server 'A' in the farm and got a reply
> from server 'B' or server 'C' or server 'D'....  The first available
> will be replying.  You could 'sniff' the traffic, but since it is
> SSL/TLS encrypted, you would not be able to read anything (or left me
> restate this, should not be able to.)
>
> At this point, given all that has been given, you are at a ZERO percent
> hazard.  If you were receiving replies from a different set of addresses
> and these were not gmail's then I would have raised an eyebrow because
> that is an attack signature.
>
> James McKenzie
>
Well, it is a bit strange that Google would set up their servers
so that my machine tries to download latest messages by sending
it's request to pop.gmail.com (74.125.127.109) to port 995,
and receive reply from a different IP address.
How can I configure my firewall so that such replies are
not deemed as "not established"?