[lug] Weird mail/firewall problem

Kevin Fenzi kevin at scrye.com
Tue Feb 12 20:08:52 MST 2002

Chip> In my messages file I'm seeing entries like this:

Chip> Feb 12 19:05:28 poodle kernel: Packet log: input DENY ppp0
Chip> PROTO=6 L=492 S=0x00
Chip> I=7422 F=0x2042 T=245 (#12)

Chip> Huh?  It seems that the email timeouts are related to these
Chip> denied packets.  The weird thing is that the port is 65535, not
Chip> 25.

Chip> I see these denial messages scrolling by almost as fast as the
Chip> messages in the maillog.

Chip> I'm a bit puzzled and don't want to open up myself
Chip> unnecessarily, but it slmost seems that I'm blocking mail
Chip> throughput.

The trick here is that port 65535 doesn't exist... it's just ipchains
way of telling you that it denied a Fragmented packet... 

I seem to remember ipchains having some problems with fragmented
packets from some places. Don't recall why... 

You can "fix" it with: 

echo 1 > /proc/sys/net/ipv4/ip_always_defrag 

which will make it always defrag the packets and should make it work. 

