Author: Peter Bowyer Date: To: exim users Subject: Re: [exim] IPTables Whitelisting
On 01/05/07, Mike Cardwell <exim-users@???> wrote: > * on the Tue, May 01, 2007 at 05:53:45AM +0100, Peter Bowyer wrote:
>
> >> "man iptables" and look for QUEUE. Then go to cpan.org and look at
> >> IPTables::IPv4::IPQueue. This will allow you to knock up a user space
> >> perl script to decide what to do with packets by talking to your db in
> >> real time.
> > Ah, now I looked into this a while back when Marc first talked about
> > this technique. I investigated this method of controlling IPTables and
> > came to the conclusion that it wouldn't do the job - once a packet has
> > arrived in the userspace queue it's already been accepted - all you
> > can do with it is drop it or carry on processing it, you can't reject
> > it. You can't simulate 'nothing listening on this port'. So it's not
> > suitable for the application Marc wants it for.
> >
> > At least, that's how I read the documentation. I have been known to be
> > wrong (yes, really...).
>
> You look to be correct. But, while dropping the packet isn't ideal, the
> overall outcome of doing that in this case is still the same as doing a
> reject surely?
It would create a different error condition for the SMTP client the
other end - probably a 'connection timed out' rather than a
'connection refused'. This will certainly slow things down, and might
trigger different retry logic depending on the vagueries of the
implementation.
