Message 104820 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	toelke
Recipients	giampaolo.rodola, pitrou, toelke
Date	2010-05-03.07:28:40
SpamBayes Score	8.50254e-06
Marked as misclassified	No
Message-id	<1272871724.24.0.987133704432.issue5565@psf.upfronthosting.co.za>
In-reply-to

Content
The TCP-issues from my post are all resolved. I now know how TCP works; the behaviour of python seems to be correct. About the imap-behaviour: me@harga ~$ python Python 2.5.5 (r255:77872, Apr 21 2010, 08:40:04) [GCC 4.4.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import imaplib >>> c = imaplib.IMAP4_SSL("post.in.tum.de") >>> c.login("toelke", "XXX") ('OK', ['LOGIN Ok.']) >>> c.logout() ('BYE', ['Courier-IMAP server shutting down']) >>> <C-d> me@harga ~$ At the time of the logout() the server closes his connection and sends a FIN-packet. If python is closed, it sends not a FIN-Packet but a RST-paket. The "problem" I have with this is, that the Linux-Packetfilter-Firewall does not expect this RST-Packet either and in out configuration logs this as a connection in the wrong state which is generally a security-problem. Our workaround for the last year has been iptables -A OUTPUT -p tcp --tcp-flags ACK,RST ACK,RST -d 131.159.22.43 -j DROP Thanks for the help!

The TCP-issues from my post are all resolved. I now know how TCP works; the behaviour of python seems to be correct.

About the imap-behaviour:
me@harga ~$ python
Python 2.5.5 (r255:77872, Apr 21 2010, 08:40:04) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import imaplib
>>> c = imaplib.IMAP4_SSL("post.in.tum.de")
>>> c.login("toelke", "XXX")
('OK', ['LOGIN Ok.'])
>>> c.logout()
('BYE', ['Courier-IMAP server shutting down'])
>>> <C-d>
me@harga ~$

At the time of the logout() the server closes his connection and sends a FIN-packet. If python is closed, it sends not a FIN-Packet but a RST-paket.

The "problem" I have with this is, that the Linux-Packetfilter-Firewall does not expect this RST-Packet either and in out configuration logs this as a connection in the wrong state which is generally a security-problem.

Our workaround for the last year has been

iptables -A OUTPUT  -p tcp --tcp-flags ACK,RST ACK,RST -d 131.159.22.43 -j DROP

Thanks for the help!

History
Date	User	Action	Args
2010-05-03 07:28:44	toelke	set	recipients: + toelke, pitrou, giampaolo.rodola
2010-05-03 07:28:44	toelke	set	messageid: <1272871724.24.0.987133704432.issue5565@psf.upfronthosting.co.za>
2010-05-03 07:28:42	toelke	link	issue5565 messages
2010-05-03 07:28:40	toelke	create