Hello, I''m new in the list. I''ve installed Mandrake MNF and it works fine but I''ve a problem in sending emails. Small text mails can go out but bigger ones, with attachements, have problems. My network is formed by Windows workstations and only the firewall is a Linux box. The first simptom is the reaching of ISP''s server time out and then my mail client goes in error by broken server connection. I have defined the default policy lan>wan to REJECT and I left all the rules defined by the system. In particular there is the a specific rule that says ACCEPT lan>wan for the tcp protocol on the smtp port (I think 25). Someone have any suggestions?? Thanks a lot and regards Guido
Guido Demarin wrote:> Someone have any suggestions??Try setting CLAMPMSS=Yes in shorewall.conf -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, CLAMPMSS is already set to YES! Thanks and regards guido ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, May 16, 2005 4:46 PM Subject: Re: [Shorewall-users] Problems in sending emails> Guido Demarin wrote: > > > Someone have any suggestions?? > > Try setting CLAMPMSS=Yes in shorewall.conf > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Guido Demarin wrote:> Tom, > CLAMPMSS is already set to YES! >Well, this sounds very much like an MTU problem combined with either you or your ISP blocking ICMPs that you shouldn''t be. Without a real problem report (see http://shorewall.net/support.htm), I can''t help you further. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Does your reject rule come before or after the allow rule, in the example you gave us? Here is where all my unused computer time goes http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=9FL4CP1TN1 ----- Original Message ----- From: "Guido Demarin" <demarin.g@interaviosup.it> To: <shorewall-users@lists.shorewall.net> Sent: Monday, May 16, 2005 10:32 AM Subject: [Shorewall-users] Problems in sending emails Hello, I''m new in the list. I''ve installed Mandrake MNF and it works fine but I''ve a problem in sending emails. Small text mails can go out but bigger ones, with attachements, have problems. My network is formed by Windows workstations and only the firewall is a Linux box. The first simptom is the reaching of ISP''s server time out and then my mail client goes in error by broken server connection. I have defined the default policy lan>wan to REJECT and I left all the rules defined by the system. In particular there is the a specific rule that says ACCEPT lan>wan for the tcp protocol on the smtp port (I think 25). Someone have any suggestions?? Thanks a lot and regards Guido _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Nick, the REJECT is not a rule but the default lan>all policy. Then I defined a specific SMTP rule to ACCEPT outgoing tcp traffic on SMTP port. And in this situation I have the submitted problem. Regards Guido ----- Original Message ----- From: "Nick Sklav" <sklav@istop.com> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, May 16, 2005 6:05 PM Subject: Re: [Shorewall-users] Problems in sending emails> Does your reject rule come before or after the allow rule, in the example > you gave us? > > Here is where all my unused computer time goes > http://www.worldcommunitygrid.org/team/viewTeamInfo.do?teamId=9FL4CP1TN1 > > ----- Original Message ----- > From: "Guido Demarin" <demarin.g@interaviosup.it> > To: <shorewall-users@lists.shorewall.net> > Sent: Monday, May 16, 2005 10:32 AM > Subject: [Shorewall-users] Problems in sending emails > > > Hello, > I''m new in the list. I''ve installed Mandrake MNF and it works fine butI''ve> a problem in sending emails. > Small text mails can go out but bigger ones, with attachements, have > problems. > My network is formed by Windows workstations and only the firewall is a > Linux box. > The first simptom is the reaching of ISP''s server time out and then mymail> client goes in error by broken server connection. > I have defined the default policy lan>wan to REJECT and I left all therules> defined by the system. > In particular there is the a specific rule that says ACCEPT lan>wan forthe> tcp protocol on the smtp port (I think 25). > Someone have any suggestions?? > Thanks a lot and regards > Guido > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
2005/5/16, Guido Demarin <demarin.g@interaviosup.it>:> Nick, > the REJECT is not a rule but the default lan>all policy. Then I defined a > specific SMTP rule to ACCEPT outgoing tcp traffic on SMTP port. And in this > situation I have the submitted problem. > > Regards > Guido >reduce the MTU of the net interface. and make you sure you''re not blocking vital ICMP types ( braindead tech people at ISPs frecuently do that *%&$% because they believe it''s a ''security'' measure.) if your problem persist.. PLEASE FOLLOW THE PROBLEM REPORTING GUIDELINES ¡¡¡
2005/5/16, Cristian Rodriguez <judas.iscariote@gmail.com>:> 2005/5/16, Guido Demarin <demarin.g@interaviosup.it>: > > Nick, > > the REJECT is not a rule but the default lan>all policy. Then I defined a > > specific SMTP rule to ACCEPT outgoing tcp traffic on SMTP port. And in this > > situation I have the submitted problem. > > > > Regards > > Guido > > > reduce the MTU of the net interface. > and make you sure you''re not blocking vital ICMP types ( braindead > tech people at ISPs frecuently do that *%&$% because they believe > it''s a ''security'' measure.) > > if your problem persist.. PLEASE FOLLOW THE PROBLEM REPORTING GUIDELINES ¡¡¡ >http://www.netheaven.com/pmtu.html http://www.freelabs.com/~whitis/isp_mistakes.html http://www.criminally-braindead-isp.com (joke :D)
Cristian Rodriguez wrote:> 2005/5/16, Cristian Rodriguez <judas.iscariote@gmail.com>: >>2005/5/16, Guido Demarin <demarin.g@interaviosup.it>: >>>Nick, >>>the REJECT is not a rule but the default lan>all policy. Then I defined a >>>specific SMTP rule to ACCEPT outgoing tcp traffic on SMTP port. And in this >>>situation I have the submitted problem. >>> >>>Regards >>>Guido >>> >>reduce the MTU of the net interface. >>and make you sure you''re not blocking vital ICMP types ( braindead >>tech people at ISPs frecuently do that *%&$% because they believe >>it''s a ''security'' measure.) >> >>if your problem persist.. PLEASE FOLLOW THE PROBLEM REPORTING GUIDELINES ¡¡¡ >> > http://www.netheaven.com/pmtu.html > > http://www.freelabs.com/~whitis/isp_mistakes.html > > http://www.criminally-braindead-isp.com (joke :D)But until the OP posts his own configuration (output of "shorewall status"), we won''t know if it is HE or his ISP who is making this mistake. He hasn''t even told us what version of Shorewall he is running, for $DEITY''s sake. I don''t know how we are expected so solve anything with this dirth of information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello, thank you for your help. As you can understand I''m not a Linux expert but I''m learning it! Here I submit the reports I printed for Shorewall status, IP status and ROUTE status of the Linux box. The installation is the original Mandrake MNF 8.2 with no upgrades. The starting and restarting of the system is ok. The navigation in internet is ok. Small e-mail sending is ok but the problem is with bigger ones (I sent this message from another connection because also these small attachements stopped the sending!). Thanks again and regards Guido ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Cristian Rodriguez" <judas.iscariote@gmail.com>; "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, May 17, 2005 5:08 AM Subject: Re: [Shorewall-users] Problems in sending emails> Cristian Rodriguez wrote: > > 2005/5/16, Cristian Rodriguez <judas.iscariote@gmail.com>: > >>2005/5/16, Guido Demarin <demarin.g@interaviosup.it>: > >>>Nick, > >>>the REJECT is not a rule but the default lan>all policy. Then I defineda> >>>specific SMTP rule to ACCEPT outgoing tcp traffic on SMTP port. And inthis> >>>situation I have the submitted problem. > >>> > >>>Regards > >>>Guido > >>> > >>reduce the MTU of the net interface. > >>and make you sure you''re not blocking vital ICMP types ( braindead > >>tech people at ISPs frecuently do that *%&$% because they believe > >>it''s a ''security'' measure.) > >> > >>if your problem persist.. PLEASE FOLLOW THE PROBLEM REPORTING GUIDELINES¡¡¡> >> > > http://www.netheaven.com/pmtu.html > > > > http://www.freelabs.com/~whitis/isp_mistakes.html > > > > http://www.criminally-braindead-isp.com (joke :D) > > But until the OP posts his own configuration (output of "shorewallstatus"),> we won''t know if it is HE or his ISP who is making this mistake. Hehasn''t> even told us what version of Shorewall he is running, for $DEITY''s sake. I > don''t know how we are expected so solve anything with this dirth ofinformation.> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Guido Demarin wrote:> Hello, > thank you for your help. As you can understand I''m not a Linux expert but > I''m learning it! > Here I submit the reports I printed for Shorewall status, IP status and > ROUTE status of the Linux box. The installation is the original Mandrake MNF > 8.2 with no > upgrades. The starting and restarting of the system is ok. The navigation in > internet > is ok. Small e-mail sending is ok but the problem is with bigger ones (I > sent this message from another connection because also these small > attachements stopped the sending!). >I see nothing in your setup that could cause this problem. There is no evidence that your firewall is dropping ICMP packets (although it is possible that NAT with ICMP isn''t working properly -- that has been a problem with Linux at times). You could always run a traffic analyzer like Ethereal to look at what is happening on the link when the problem occurs; if you see ICMP fragmentation needed packets coming to the firewall then check the local interface to see if they are being forwarded and if the original packet header (embedded in the ICMP packet) has the correct sending IP (it should be the local address of your email client system). Check the stats on your interfaces (ip -s link ls) to be sure that you are not getting a high error rate on one of them. If there is no ICMP problem or excessive error rate, I guess that you will have to take another poster''s advice and reduce the size of the MTU on your external interface -- drop it to 1400 then 1300 ... until the problem goes away. If you upgrade to a current version of Shorewall (you are running 1.3.11 which hasn''t been supported for over two years), there are ways to limit the MSS (which is derived from the PMTU) in Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, with ifconfig (and with ip -s link ls) I read some RX errors and some collisions on the internal interface but the external seems not affected. Is this important for my problem? Thanks Guido ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, May 17, 2005 4:35 PM Subject: Re: [Shorewall-users] Problems in sending emails> Guido Demarin wrote: > > Hello, > > thank you for your help. As you can understand I''m not a Linux expertbut> > I''m learning it! > > Here I submit the reports I printed for Shorewall status, IP status and > > ROUTE status of the Linux box. The installation is the original MandrakeMNF> > 8.2 with no > > upgrades. The starting and restarting of the system is ok. Thenavigation in> > internet > > is ok. Small e-mail sending is ok but the problem is with bigger ones (I > > sent this message from another connection because also these small > > attachements stopped the sending!). > > > > I see nothing in your setup that could cause this problem. There is no > evidence that your firewall is dropping ICMP packets (although it is > possible that NAT with ICMP isn''t working properly -- that has been a > problem with Linux at times). You could always run a traffic analyzer > like Ethereal to look at what is happening on the link when the problem > occurs; if you see ICMP fragmentation needed packets coming to the > firewall then check the local interface to see if they are being > forwarded and if the original packet header (embedded in the ICMP > packet) has the correct sending IP (it should be the local address of > your email client system). > > Check the stats on your interfaces (ip -s link ls) to be sure that you > are not getting a high error rate on one of them. > > If there is no ICMP problem or excessive error rate, I guess that you > will have to take another poster''s advice and reduce the size of the MTU > on your external interface -- drop it to 1400 then 1300 ... until the > problem goes away. > > If you upgrade to a current version of Shorewall (you are running 1.3.11 > which hasn''t been supported for over two years), there are ways to limit > the MSS (which is derived from the PMTU) in Shorewall. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Guido Demarin wrote:> Tom, > with ifconfig (and with ip -s link ls) I read some RX errors and some > collisions on the internal interface but the external seems not affected. Is > this important for my problem?What is the error rate? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
RX packets:16058; errors: 1763; collisions:23 ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, May 17, 2005 5:58 PM Subject: Re: [Shorewall-users] Problems in sending emails> Guido Demarin wrote: > > Tom, > > with ifconfig (and with ip -s link ls) I read some RX errors and some > > collisions on the internal interface but the external seems notaffected. Is> > this important for my problem? > > What is the error rate? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Guido Demarin wrote:> RX packets:16058; errors: 1763; collisions:23 >That''s a pretty high error rate (> 10%). I think that I would start there -- possible NIC/switch/cable/driver problem. To contrast: 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:d2:35:3a brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 44337765 270892 0 0 0 0 TX: bytes packets errors dropped carrier collsns 73826489 284935 0 0 0 1059 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
2005/5/17, Guido Demarin <demarin.g@interaviosup.it>:> RX packets:16058; errors: 1763; collisions:23 > >that ''s really bad. check your network stuff. if possible ,replace the NIC and check the cables.
Tom, you were right. I changed the local NIC and all is working perfectly! Now, I read about your decision to stop your activity on Shorewall. This is a bad news for all the people that is able to appreciate a serious and professional guy. Maybe I''m one of the last person that joined the Shorewall mailing list but, also in this small time, I appreciated your help and your courtesy. Thank you again and good luck for everything in your life Guido ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, May 17, 2005 6:30 PM Subject: Re: [Shorewall-users] Problems in sending emails> Guido Demarin wrote: > > RX packets:16058; errors: 1763; collisions:23 > > > > That''s a pretty high error rate (> 10%). I think that I would start > there -- possible NIC/switch/cable/driver problem. > > To contrast: > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:a0:cc:d2:35:3a brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 44337765 270892 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 73826489 284935 0 0 0 1059 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Tom, you were right. I changed the local NIC and all is working perfectly! Now, I read about your decision to stop your activity on Shorewall. This is a bad news for all the people that is able to appreciate a serious and professional guy. Maybe I''m one of the last person that joined the Shorewall mailing list but, also in this small time, I appreciated your help and your courtesy. Thank you again and good luck for everything in your life Guido> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mailing List for Shorewall Users"<shorewall-users@lists.shorewall.net>> Sent: Tuesday, May 17, 2005 6:30 PM > Subject: Re: [Shorewall-users] Problems in sending emails > > > > Guido Demarin wrote: > > > RX packets:16058; errors: 1763; collisions:23 > > > > > > > That''s a pretty high error rate (> 10%). I think that I would start > > there -- possible NIC/switch/cable/driver problem. > > > > To contrast: > > > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:a0:cc:d2:35:3a brd ff:ff:ff:ff:ff:ff > > RX: bytes packets errors dropped overrun mcast > > 44337765 270892 0 0 0 0 > > TX: bytes packets errors dropped carrier collsns > > 73826489 284935 0 0 0 1059 > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm >