Hi, first of all let me note that I think shorewall is a very nice firewall, easy to use and with a very good documentation. Many thanks Tom (and all other contributors). However, I have a problem that I cannot figure out somehow. I run a small home network with a firewall connecting it to the internet. Since it''s just a home network (and I don''t have money for more), I run all my services on my firewall. Among others, I run a smtp relay on my firewall that basically does nothing else but forward the email to my ISP smtp server. Now, when shorewall is started, the connection takes about 25 seconds to deliver an email from a pc in the home network to the firewall, with shorewall stopped the same email takes about 2 seconds to get sent. Of course I have the appropriate rules set; no error message shows up in the logs (no packets denied). First some more technical description, this is how my network looks like: Internet | (66.68.252.217[dhcp],eth1) Firewall (10.10.10.1,eth0) | Home Network (10.10.10.0/24) The firewall is running debian/unstable, exim mailserver and of course shorewall. Here the docs according to the webpage: Shorewall version: 1.4.8 ip addr show: 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop link/ipip 0.0.0.0 brd 0.0.0.0 3: gre0@NONE: <NOARP> mtu 1476 qdisc noop link/gre 0.0.0.0 brd 0.0.0.0 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:63:c0:fb:0c brd ff:ff:ff:ff:ff:ff inet 10.10.10.1/16 brd 10.10.255.255 scope global eth0 5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:95:10:03:fb brd ff:ff:ff:ff:ff:ff inet 66.68.252.217/21 brd 255.255.255.255 scope global eth1 ip route show: 66.68.248.0/21 dev eth1 proto kernel scope link src 66.68.252.217 10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.10.1 default via 66.68.248.1 dev eth1 shorewall status is attached. I used ethereal to track the connection of the smtp connection and I can see that the client firs sends a syn package to the server, the server replies with a syn-ack and then the server sends an ack package. After about 22 more seconds, a tls connection is established and the data is quickly sent. Since this only happens when shorewall is on, I suspect that it has something to do with it''s configuration but I can''t figure out what it is. I don''t have TC enabled, so that is for sure not messing with things. Any ideas on how to resolve this little annoyance? Bye, David
On Wednesday 21 January 2004 08:34 pm, damailings@mcbf.net wrote:> Now, when > shorewall is started, the connection takes about 25 seconds to deliver > an email from a pc in the home network to the firewall, with shorewall > stopped the same email takes about 2 seconds to get sent.Sounds like the classic ident (auth) port 113 timeout. If you add a rule like this: REJECT net fw tcp 113 Then it will reject instantly any attempt by the smtp server to connect back to your ident port, and things should be faster... Worth a try anyway. -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Thursday 22 January 2004 01:27 am, John Andersen wrote:> On Wednesday 21 January 2004 08:34 pm, damailings@mcbf.net wrote: > > Now, when > > shorewall is started, the connection takes about 25 seconds to deliver > > an email from a pc in the home network to the firewall, with shorewall > > stopped the same email takes about 2 seconds to get sent. > > Sounds like the classic ident (auth) port 113 timeout. > If you add a rule like this: > REJECT net fw tcp 113 > Then it will reject instantly any attempt by the smtp server > to connect back to your ident port, and things should > be faster... Worth a try anyway.There is such an equivalent rule in common.def but if David has created an /etc/shorewall/common file that omits the rule then ''auth'' could be the culprit. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, Jan 22, 2004 at 07:37:54AM -0800, Tom Eastep wrote:> On Thursday 22 January 2004 01:27 am, John Andersen wrote: > > On Wednesday 21 January 2004 08:34 pm, damailings@mcbf.net wrote: > > > Now, when > > > shorewall is started, the connection takes about 25 seconds to deliver > > > an email from a pc in the home network to the firewall, with shorewall > > > stopped the same email takes about 2 seconds to get sent. > > > > Sounds like the classic ident (auth) port 113 timeout. > > If you add a rule like this: > > REJECT net fw tcp 113 > > Then it will reject instantly any attempt by the smtp server > > to connect back to your ident port, and things should > > be faster... Worth a try anyway. > > There is such an equivalent rule in common.def but if David has created an > /etc/shorewall/common file that omits the rule then ''auth'' could be the > culprit.Nope, I haven''t common.def, the rule is still there. And funny enough, after this problem has been bothering me for weeks and finally I write this email to the list, the problem disappeared. I assume that the reason for this is that I upgraded the kernel on my server from 2.4.22 to 2.4.24 and now it works perfectly fine. Thanks for your suggestions and we all now know that there''s a tiny bug in 2.4.22. =) Bye, David
On Thursday 22 January 2004 04:31 pm, damailings@mcbf.net wrote: ''auth'' could be> > the culprit. > > Nope, I haven''t common.def, the rule is still there. And funny enough, > after this problem has been bothering me for weeks and finally I write > this email to the list, the problem disappeared. I assume that the > reason for this is that I upgraded the kernel on my server from 2.4.22 > to 2.4.24 and now it works perfectly fine. Thanks for your suggestions > and we all now know that there''s a tiny bug in 2.4.22. =) >I know that recent RedHat kernels (up until the last one or two) have had a bug whereby the "REJECT --reject-with tcp-reset" target has worked just like "DROP". That bug produced the symptoms that you describe. It sounds as though the bug may not have been limited to RedHat... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net