On 04/17/2011 03:53 PM, JD wrote: > Well, it is a bit strange that Google would set up their servers > so that my machine tries to download latest messages by sending > it's request to pop.gmail.com (74.125.127.109) to port 995, > and receive reply from a different IP address. > How can I configure my firewall so that such replies are > not deemed as "not established"? I'm download my email too from pop.gmail.com via pop3s using fetchmail and in the past, the following showed in the logs: Apr 17 16:18:42 localhost kernel: [534364.934281] INPUT packets denied: IN=eth0 OUT= MAC= SRC=74.125.127.109 DST=192.168.1.10 LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=18161 PROTO=TCP SPT=995 DPT=48159 WINDOW=0 RES=0x00 RST URGP=0 and the above packet always netfilter (iptables) classify it as a INVALID packet so you catch it with: -N inval-IN -A inval-IN -m tcp -p tcp --sport 995 -j DROP -A INPUT -m state --state INVALID -j inval-IN or test and simply do: -A INPUT -m state --state INVALID -j DROP I only know a little about tcpdump but according to "tcpdump -i eth0 -n port 995" the packet logged is the last one in the session: also in my limited testing today, the logged packet came from the same pop server machine not a third party one and because the packet is logged not matter you use thunderbird or I use fetcmail maybe is a (harmless) bug in google pop server Gabriel -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines