[lug] Weird mail/firewall problem
chip at rmpg.org
Tue Feb 12 20:18:46 MST 2002
Interesting. Very interesting indeed. I did have the value of
ip_always_defrag set to 0. Why does it have that value I wonder?
Wouldn't you aways want your packets to be defragmented?
I suspect that the only reason that you would want to not defragment would
be if every machine was on a lan and the packet size was the same between
Any thoughts on that?
BTW, it looks like your suggestion worked perfectly. I don't see the
denial messages any more.
On Tue, 12 Feb 2002, Kevin Fenzi wrote:
> >>>>> "Chip" == Chip Atkinson <chip at rmpg.org> writes:
> Chip> ... snip...
> Chip> In my messages file I'm seeing entries like this:
> Chip> Feb 12 19:05:28 poodle kernel: Packet log: input DENY ppp0
> Chip> PROTO=6 18.104.22.168:65535 22.214.171.124:65535 L=492 S=0x00
> Chip> I=7422 F=0x2042 T=245 (#12)
> Chip> ... snipp...
> Chip> Huh? It seems that the email timeouts are related to these
> Chip> denied packets. The weird thing is that the port is 65535, not
> Chip> 25.
> Chip> I see these denial messages scrolling by almost as fast as the
> Chip> messages in the maillog.
> Chip> I'm a bit puzzled and don't want to open up myself
> Chip> unnecessarily, but it slmost seems that I'm blocking mail
> Chip> throughput.
> The trick here is that port 65535 doesn't exist... it's just ipchains
> way of telling you that it denied a Fragmented packet...
> I seem to remember ipchains having some problems with fragmented
> packets from some places. Don't recall why...
> You can "fix" it with:
> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> which will make it always defrag the packets and should make it work.
> Chip> Thanks in advance.
> Chip> Chip
More information about the LUG