[lug] Weird mail/firewall problem
chip at rmpg.org
Tue Feb 12 20:22:22 MST 2002
Oh, another thing too, that would explain why some of the mail was going
through and other huge batches, sent with large packets wouldn't.
Large packets ==> Denied.
Small packets ==> accepted.
On Tue, 12 Feb 2002, Kevin Fenzi wrote:
> >>>>> "Chip" == Chip Atkinson <chip at rmpg.org> writes:
> Chip> ... snip...
> Chip> In my messages file I'm seeing entries like this:
> Chip> Feb 12 19:05:28 poodle kernel: Packet log: input DENY ppp0
> Chip> PROTO=6 220.127.116.11:65535 18.104.22.168:65535 L=492 S=0x00
> Chip> I=7422 F=0x2042 T=245 (#12)
> Chip> ... snipp...
> Chip> Huh? It seems that the email timeouts are related to these
> Chip> denied packets. The weird thing is that the port is 65535, not
> Chip> 25.
> Chip> I see these denial messages scrolling by almost as fast as the
> Chip> messages in the maillog.
> Chip> I'm a bit puzzled and don't want to open up myself
> Chip> unnecessarily, but it slmost seems that I'm blocking mail
> Chip> throughput.
> The trick here is that port 65535 doesn't exist... it's just ipchains
> way of telling you that it denied a Fragmented packet...
> I seem to remember ipchains having some problems with fragmented
> packets from some places. Don't recall why...
> You can "fix" it with:
> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> which will make it always defrag the packets and should make it work.
> Chip> Thanks in advance.
> Chip> Chip
More information about the LUG