[lug] Weird mail/firewall problem
D. Stimits
stimits at idcomm.com
Tue Feb 12 21:42:37 MST 2002
Chip Atkinson wrote:
>
> Interesting. Very interesting indeed. I did have the value of
> ip_always_defrag set to 0. Why does it have that value I wonder?
> Wouldn't you aways want your packets to be defragmented?
Only if you are the final destination, or can guarantee that the
defragmented size will not exceed your internal network MTU. In which
case it would simply refragment it.
>
> I suspect that the only reason that you would want to not defragment would
> be if every machine was on a lan and the packet size was the same between
> machines.
If it is on an internal lan then likely it can handle putting it back
together and not fragmenting it internally. Your MTU default of 1500
works quite well on a lan, but if you were retransmitting or routing or
doing something along the Internet over a 56k modem, that'd probably be
a problem.
FYI, if you try to send at greater than the route MTU and have checked
the do not fragment flag, you'll lose all your packets. Perhaps the
email program is flagging packets as "do not fragment", then using a
value larger than the route can handle. Just for kicks, maybe get your
failed email test on an interface, then use ifconfig to set to something
small on the interface itself, say 296 (power of 2 plus 40 assuming tcp
header), and see if it then gets through. Or maybe some other error
occurs.
D. Stimits, stimits at idcomm.com
PS: I'm no network guru, I expect someone should or could make arguments
to what I said.
>
> Any thoughts on that?
>
> BTW, it looks like your suggestion worked perfectly. I don't see the
> denial messages any more.
>
> Chip
>
> On Tue, 12 Feb 2002, Kevin Fenzi wrote:
>
> > >>>>> "Chip" == Chip Atkinson <chip at rmpg.org> writes:
> >
> > Chip> ... snip...
> >
> > Chip> In my messages file I'm seeing entries like this:
> >
> > Chip> Feb 12 19:05:28 poodle kernel: Packet log: input DENY ppp0
> > Chip> PROTO=6 24.254.60.38:65535 63.173.117.115:65535 L=492 S=0x00
> > Chip> I=7422 F=0x2042 T=245 (#12)
> >
> > Chip> ... snipp...
> >
> > Chip> Huh? It seems that the email timeouts are related to these
> > Chip> denied packets. The weird thing is that the port is 65535, not
> > Chip> 25.
> >
> > Chip> I see these denial messages scrolling by almost as fast as the
> > Chip> messages in the maillog.
> >
> > Chip> I'm a bit puzzled and don't want to open up myself
> > Chip> unnecessarily, but it slmost seems that I'm blocking mail
> > Chip> throughput.
> >
> > The trick here is that port 65535 doesn't exist... it's just ipchains
> > way of telling you that it denied a Fragmented packet...
> >
> > I seem to remember ipchains having some problems with fragmented
> > packets from some places. Don't recall why...
> >
> > You can "fix" it with:
> >
> > echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> >
> > which will make it always defrag the packets and should make it work.
> >
> > Chip> Thanks in advance.
> > Chip> Chip
> >
> > kevin
> >
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list