Hello, =09I am running two mail servers that are NAT''ed behind one shorewall=20 firewall (1.3.5b). Everything works well from the outside, but between the=20 two servers there is a little problem. I know that Proxarp would be better,=20 I might switch. =20 =09Here is the problem. I added the following rules to make the two=20 servers communicate using the real external IP''s. DNAT lan:10.1.1.0/24 lan:10.1.1.1 tcp 0:65535 - 12.23.34.3:10.1.1.5 DNAT lan:10.1.1.0/24 lan:10.1.1.1 udp 0:65535 - 12.23.34.3:10.1.1.5 DNAT lan:10.1.1.0/24 lan:10.1.1.2 tcp 0:65535 - 12.23.34.4:10.1.1.5 DNAT lan:10.1.1.0/24 lan:10.1.1.2 udp 0:65535 - 12.23.34.4:10.1.1.5 where 12.23.34.3 and 12.23.34.4 are the real ip''s that are NAT''ed to servers=20 10.1.1.1 and 10.1.1.2, and 10.1.1.5 is the internal ip for my firewall. This=20 does work with short connections. But if one mail server send the other a=20 large email, the transfer slows to a crawl. It eventually completes, but why=20 this behavior?? --=20 Regards Joseph =09 http://www.datakota.com
On Saturday 24 August 2002 10:27 am, Joseph T Watson wrote:> Hello, > > I am running two mail servers that are NAT''ed behind one shorewall > firewall (1.3.5b). Everything works well from the outside, but between the > two servers there is a little problem. I know that Proxarp would be > better, I might switch.I would....> > Here is the problem. I added the following rules to make the two > servers communicate using the real external IP''s.< rules deleted >> This does work with short connections. But if one mail server > send the other a large email, the transfer slows to a crawl. It eventually > completes, but why this behavior??I don''t know. Please send me the output of "shorewall status" (just copy me and not the entire list). Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Joseph T Watson [mailto:jtwatson@datakota.com] > Sent: Saturday, August 24, 2002 12:27 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Nat''ed Servers > ><Rules Deleted>> But if one mail server send the other a large email, > the transfer slows to a crawl. It eventually completes, > but why this behavior??I''m sure there is a good reason why your e-mail servers are using your firewall to relay e-mail to each other, but wouldn''t it be easier (and more efficient) to configure both MTA''s to relay e-mail to each other using the 10.1.1.0/24 network?? i.e. override your MX record when it has to resend e-mail. Just a thought Steve Cowles
On Saturday 24 August 2002 01:24 pm, Cowles, Steve wrote:> > -----Original Message----- > > From: Joseph T Watson [mailto:jtwatson@datakota.com] > > Sent: Saturday, August 24, 2002 12:27 PM > > To: shorewall-users@shorewall.net > > Subject: [Shorewall-users] Nat''ed Servers > > <Rules Deleted> > > > But if one mail server send the other a large email, > > the transfer slows to a crawl. It eventually completes, > > but why this behavior?? > > I''m sure there is a good reason why your e-mail servers are using your > firewall to relay e-mail to each other, but wouldn''t it be easier (and more > efficient) to configure both MTA''s to relay e-mail to each other using the > 10.1.1.0/24 network?? i.e. override your MX record when it has to resend > e-mail. >Or add three records in /etc/hosts on each of the four servers. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net