Re: smtp with ip filter .. become slow
This is a discussion on Re: smtp with ip filter .. become slow within the IPFilter forums, part of the System Security and Security Related category; This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig039D394E04B3F305887344F6 Content-Type: text/plain; charset=us-ascii; format=...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-01-2003
|
|||
|
|||
Re: smtp with ip filter .. become slow
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig039D394E04B3F305887344F6 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit .. wrote: > refused, what service that I must set to make port 113 run ? If you get an *immediate* connection refused, then that's not your problem, because that's what you'll also get when IPF is not running (you can try this to verify). Usually the identd service runns on port 113, which is started out of the inetd superdeamon. But as I said, if you're getting an immediate connection refused, then this isn't your problem because the SMTP server would get the same thing and then go on. See, the USUAL problem with slow SMTP is that the process is: 1. Firewalled machine makes SMTP request 2. SMTP server hits IDENTD port, but packet gets dropped 3. SMTP server has to wait for TCP timeout 4. SMTP server carries on With no firewall its 1. Machine makes SMTP request 2. SMTP server hits IDENTD port, connection is refused (actually "reset") because nothing is listening on that port 3. SMTP server carries on So, to get around the problem we make the firewall pretend like its not there by sending a Reset (RST) on port 113. This tells the SMTP server nothing is listening on that port, and it carries on with the rest of the process. However, if you are already doing that, then that is not your problem. So lets look at your rules again... hold on... OH!!! You're firewalling the SMTP server!!! Add a rule like pass out quick on eri0 proto tcp from any to any port = 113 flags S keep state keep frags You want to go OUT on the identd port... Try that and see how it goes. -- Phil Dibowitz phil@ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 --------------enig039D394E04B3F305887344F6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQE/yx/XN5XoxaHnMrsRAoQZAKCCTV2Ca4aUVBAt/3ApToiB9BIC7gCeObb+ 5sl3YaYu+ybB5Rm/iNo+bb4= =Jxjt -----END PGP SIGNATURE----- --------------enig039D394E04B3F305887344F6-- 
|
Linear Mode
