Marc Harding
2003-Jan-24 11:18 UTC
[Shorewall-users] Problem with sending mail from mail server behind firewall.
I am having a problem with connections from a server behind a shorewall firewall. Both machines are running redhat 8.0 with a custom 2.4.20 kernel. The problem lies with a mail server I am configuring which has been able to send mail to all hosts, except this one. The connection starts with the SYN_SENT, and then just hangs there. (telnet to remote server on port 25 just hangs trying to connect, SYN_SENT as well). I have used NAT to control the mail server behind the firewall, and have done this many times prior without this problem. This is also my first use of RedHat 8.0 and am wondering if that may be a cause to the problem.>From another mail server, I can send mail to that server with noproblem. Not sure exactly where the problem lies, if it is not the firewall, I am hoping someone might have a clue to the problem. The Shorewall firewall shows no error messages during the connection, and all other traffic seems to do what it is supposed to do. This line is from "shorewall show connections": tcp 6 18 SYN_SENT src=<INTERNAL ADDRESS> dst=<REMOTE MAIL SERVER> sport=35375 dport=25 [UNREPLIED] src=<REMOTE MAIL SERVER> dst=<LOCAL EXTERNAL IP> sport=25 dport=35375 use=1 I have tried to contact the remote administrator with no luck. I am trying to give as much information as possible, and can send more if necessary. Any help would be appreciated, Marc Harding. P.S. Thanks Tom for such a valuable tool!
Tom Eastep
2003-Jan-24 11:24 UTC
[Shorewall-users] Problem with sending mail from mail server behind firewall.
--On Friday, January 24, 2003 2:18 PM -0500 Marc Harding <mharding@ecwebworks.com> wrote:> I am having a problem with connections from a server behind a shorewall > firewall. Both machines are running redhat 8.0 with a custom 2.4.20 > kernel. The problem lies with a mail server I am configuring which has > been able to send mail to all hosts, except this one. The connection > starts with the SYN_SENT, and then just hangs there. (telnet to remote > server on port 25 just hangs trying to connect, SYN_SENT as well). I > have used NAT to control the mail server behind the firewall, and have > done this many times prior without this problem. This is also my first > use of RedHat 8.0 and am wondering if that may be a cause to the > problem. > >> From another mail server, I can send mail to that server with no > problem. Not sure exactly where the problem lies, if it is not the > firewall, I am hoping someone might have a clue to the problem. > > The Shorewall firewall shows no error messages during the connection, > and all other traffic seems to do what it is supposed to do. This line > is from "shorewall show connections": > > tcp 6 18 SYN_SENT src=<INTERNAL ADDRESS> dst=<REMOTE MAIL SERVER> > sport=35375 dport=25 [UNREPLIED] src=<REMOTE MAIL SERVER> dst=<LOCAL > EXTERNAL IP> sport=25 dport=35375 use=1 >Looks like it might be an ECN problem -- try disabling ECN on the internal machine: echo 0 > /proc/sys/net/ipv4/tcp_ecn If that fixes the problem, you will need to disable ECN in /etc/sysctl.conf. IIRC. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Marc Harding
2003-Jan-24 11:35 UTC
[Shorewall-users] Problem with sending mail from mail server behind firewall.
Worked like a charm. Thanks again Tom. Marc -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, January 24, 2003 2:24 PM To: mharding@ecwebworks.com; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Problem with sending mail from mail server behind firewall. --On Friday, January 24, 2003 2:18 PM -0500 Marc Harding <mharding@ecwebworks.com> wrote:> I am having a problem with connections from a server behind a > shorewall firewall. Both machines are running redhat 8.0 with a > custom 2.4.20 kernel. The problem lies with a mail server I am > configuring which has been able to send mail to all hosts, except this> one. The connection starts with the SYN_SENT, and then just hangs > there. (telnet to remote server on port 25 just hangs trying to > connect, SYN_SENT as well). I have used NAT to control the mail > server behind the firewall, and have done this many times prior > without this problem. This is also my first use of RedHat 8.0 and am > wondering if that may be a cause to the problem. > >> From another mail server, I can send mail to that server with no > problem. Not sure exactly where the problem lies, if it is not the > firewall, I am hoping someone might have a clue to the problem. > > The Shorewall firewall shows no error messages during the connection, > and all other traffic seems to do what it is supposed to do. This > line is from "shorewall show connections": > > tcp 6 18 SYN_SENT src=<INTERNAL ADDRESS> dst=<REMOTE MAIL SERVER> > sport=35375 dport=25 [UNREPLIED] src=<REMOTE MAIL SERVER> dst=<LOCAL > EXTERNAL IP> sport=25 dport=35375 use=1 >Looks like it might be an ECN problem -- try disabling ECN on the internal machine: echo 0 > /proc/sys/net/ipv4/tcp_ecn If that fixes the problem, you will need to disable ECN in /etc/sysctl.conf. IIRC. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net