| View previous topic :: View next topic |
| Author |
Message |
faz
n00b
Joined: 02 Nov 2002
Posts: 73
Location: the Netherlands
|
 Posted: Wed Mar 19, 2003 8:30 pm Post subject: strange networking problem, need an expert |
 |
|
Hi,
I have this strange problem. When I send an Email from kmail with an attachment of about 400KB or larger then, after a while, the smtp kioslave start trashing my box by executing above 80% cpu. The message will never get send.
At first, I thought it was kmail, but then, when I tried the same thing from another box with win98 and Outlook Express, the same problem occurred. That means it's not kmail but some common problem. I now suspect my network setup.
My setup is a relative slow gentoo box as a router/firewall/DNS server. It's using pppoe to connect to my ISP thru cable. I have 1 werkstation and 1 wireless notebook connected to this box thru a hub, both multibooting Gentoo and win98 (games for the kids  ). On the router I have a netfilter firewall running, but the problem stays if I switch it off.
It's not a MTU problem either. The MTU of ppp0 on the router is 1492 and i have changed the MTU of all other interfaces to 1412, as adviced in the pppoe manpage.
Another thing worth mentioning here is that uploading the attachment to the webmail app of my ISP results more often than not in reports of a broken connection to the mailserver. This could mean the problem is with uploads of a certain size to my ISP.
I'm completely lost on this and i do need to send these kind of attachments on a regular basis, so I will be greatfull for any help and/or hints on this. |
|
| Back to top |
|
 |
px
Guru
Joined: 26 Sep 2002
Posts: 497
Location: Metz, France
|
| Posted: Wed Mar 19, 2003 8:55 pm Post subject: |
|
|
have you tried to send email directly with the smtp of your ISP (not via webmail)?
Are the mail correctly sent if it's less than 400K (with no attachement)?
Have you told the firewall to let smtp do his job?
what does the logfiles says?
do you use a proxy?
_________________
Nous autres, mordus d'informatique, préférons par-dessus tout passer notre temps à bidouiller nos ordinateurs, plutôt que les utiliser pour faire quelque chose de productif. [Dave Barry] |
|
| Back to top |
|
|
faz
n00b
Joined: 02 Nov 2002
Posts: 73
Location: the Netherlands
|
| Posted: Wed Mar 19, 2003 9:13 pm Post subject: |
|
|
| px wrote: | | have you tried to send email directly with the smtp of your ISP (not via webmail)? |
Yes
| px wrote: | | Are the mail correctly sent if it's less than 400K (with no attachement)? |
Yes
| px wrote: | | Have you told the firewall to let smtp do his job? |
Yes
| px wrote: | | what does the logfiles says? |
Which logfiles?
| px wrote: | | do you use a proxy? |
No
This is my firewall:
| Code: |
#!/bin/bash
IPT=/sbin/iptables
#interfaces:
# eth0: 192.168.0.1 (our trusted LAN)
# eth1: ISP assigned IP number (our untrusted DSL router)
# Uncomment this line to accept incoming connection for the listed services
# SERVICES="http smtp"
# remove old rules
$IPT -F INPUT
$IPT -P INPUT ACCEPT
$IPT -F FORWARD
$IPT -P FORWARD ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -F myfilter
$IPT -X myfilter
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# Set a default policy of DROP; deny-by-default for security:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#myfilter chain:
#this chain contains rules common to our FORWARD and INPUT chains, all in one place.
#first, we create a new "myfilter" chain;
#then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
#then, we add a rule to accept NEW connections coming in from anywhere but our untrusted eth1 interface;
#then, we add a rule to log any incoming INVALID packets;
#then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
#then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
#everything else falls off the end of this chain and goes back to the next rule (if any) in the
#parent INPUT or FORWARD chain.
$IPT -N myfilter
$IPT -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A myfilter -m state --state NEW -i ! eth1 -j ACCEPT
$IPT -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
$IPT -A myfilter -p tcp -j REJECT --reject-with tcp-reset
$IPT -A myfilter -j REJECT --reject-with icmp-port-unreachable
#INPUT chain:
#first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
#then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
#then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
#then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
#everything else falls off the end of this chain and gets a default policy of DENY.
for x in $SERVICES
do
$IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
$IPT -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
$IPT -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
$IPT -A INPUT -j myfilter
#FORWARD chain:
#simply forward all FORWARD traffic to our myfilter chain.
#if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
#chain and get a default policy of DENY.
$IPT -A FORWARD -j myfilter
#Set up MASQUERADE-ing so that machines on our LAN can use our DSL router:
#$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
