iptables questions

[JD]

On 04/18/2011 05:05 PM, Gabriel Ramirez wrote:
> On 04/17/2011 03:53 PM, JD wrote:
>
>> Well, it is a bit strange that Google would set up their servers
>> so that my machine tries to download latest messages by sending
>> it's request to pop.gmail.com (74.125.127.109) to port 995,
>> and receive reply from a different IP address.
>> How can I configure my firewall so that such replies are
>> not deemed as "not established"?
>
> I'm  download my email too from pop.gmail.com via pop3s using fetchmail
> and in the past, the following showed in the logs:
>
> Apr 17 16:18:42 localhost kernel: [534364.934281] INPUT packets denied:
> IN=eth0 OUT= MAC= SRC=74.125.127.109 DST=192.168.1.10 LEN=40 TOS=0x00
> PREC=0x00 TTL=48 ID=18161 PROTO=TCP SPT=995 DPT=48159 WINDOW=0 RES=0x00
> RST URGP=0
>
> and the above packet always netfilter (iptables) classify it as a
> INVALID packet so you catch it with:
>
> -N inval-IN
> -A inval-IN -m tcp -p tcp --sport 995 -j DROP
> -A INPUT -m state --state INVALID -j inval-IN
>
> or test and simply do:
>
> -A INPUT -m state --state INVALID -j DROP
>
> I only know a little about tcpdump but according to "tcpdump -i eth0 -n
> port 995" the packet logged is the last one in the session:
>
> also in my limited testing today, the logged packet came from the same
> pop server machine not a third party one
>
> and because the packet is logged not matter you use thunderbird or I use
> fetcmail maybe is a (harmless) bug in google pop server
>
> Gabriel
Could very well be a harmless bug.
I was also wondering if the bug is caused by the client request
being broadcast to all 3 gmail servers, and one of them quickly
responds, and one or both of the other 2, which are apparently
not notified that the response has been sent, will send their
reply to a session which has already closed.
Any google mail admins on this list?? :)