Re: Packet overload?
Well it is a simple ruleset (see below). As for the ISP blocking stuff -
not likely, since the email server is run by me at another location. Since
I have more users connecting to this server from other locations I've ruled
the problem out from that end. It is only from this one location that this
problem occurs
-
#
# cat /etc/pf.conf
#
# pf.rules
#
#-Interfaces---
#
# sis0 - external
# sis1 - internal
# sis2 - not used
#
#-Variables
#
ExtIF=sis0
IntIF=sis1
IntRange=192.168.22.0/24
table scanners persist file /etc/scanners
#
#-Options--
#
#
#-Normalize Traffic
#
scrub in on $ExtIF all
#scrub out on $ExtIF all random-id
#
#-NAT Rules
#
nat on $ExtIF from $IntRange to any - $ExtIF
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $IntIF proto tcp from any to any port 21 - 127.0.0.1 port 8021
#
#-Antispoof
#
antispoof for { $ExtIF, $IntIF}
#
#-Firewall Rules---
#
# Drop IPv6 packets immediately
block in quick inet6 all
block out quick inet6 all
# Drop SSH port scanners immediately
block quick from scanners
# Block in all inbound and outbound packets
block in on $ExtIF all
block out on $ExtIF all
# Anchor for FTP Proxy
anchor ftp-proxy/*
# Drop hackers
block in quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags SAFRU/SAFRU
block in quick on $ExtIF inet proto tcp from any to any flags SF/SF
block in quick on $ExtIF inet proto tcp from any to any flags SR/SR
block in on $ExtIF inet proto tcp from any to any flags S/SFRA
block in on $ExtIF inet proto tcp from any to any flags SA/SFRA
# Allow SSH in
pass in quick log on $ExtIF inet proto tcp from any to any port 22 modulate
state (max-src-conn-rate 3/15, overload scanners flush global)
# Allow normal traffic out
pass out on $ExtIF inet proto tcp from any to any modulate state
pass out on $ExtIF inet proto udp from any to any keep state
pass out on $ExtIF inet proto icmp from any to any keep state
-
That's it!
Peter
-Original Message-
From: Alexander Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, June 19, 2006 9:07 PM
To: Peter Bako
Cc: misc@openbsd.org
Subject: Re: Packet overload?
Peter Bako wrote:
I have a Soekris net4801 box running as a firewall for a friend of
mine that runs a small business (about 5 employees). The ruleset is
quite simple in that he does not run any internal servers, so I pretty
much block all inbound traffic and allow all traffic back out. For
inbound traffic I have the scrub command enabled and for outbound
traffic (tcp and udp) I have keep state flag on.
However I've noticed that if more than one or two people are getting
email from their ISP (standard pop3), then the third person to try to
get email will get an error that the server could not be reached.
Until recently they have not received enough email for the email check
and subsequent downloads to take long, so whenever anyone got this
error they would just wait a few seconds and try again. However
lately they have been getting a larger volume of email (expected due
to an upturn in business), so this problem is getting much more noticed
and annoying.
Anyone have any idea as to the cause and a solution for this? I've
though it might be that the Soekris box is underpowered, but the
processor is basically a PII/266 with 128M of RAM, which should be
enough for such a small site.
Now, I have not seen your pf.conf, but only using a simple ruleset that you
describe, my bet is that it is not the firewall that is causing the problem.
Does the ISP/mailserver have restrictions by any chance?
I cannot imagine that the 4801 would have ANY performance problem in the
situation you describe, unless it is en/de-crypting stuff that passes
through it. Even so, it would just make stuff go slower - not block stuff.
/Alexander
Re: Packet overload?
On 2006/06/19 20:39, Peter Bako wrote:
However I've noticed that if more than one or two people are getting email
from their ISP (standard pop3), then the third person to try to get email
will get an error that the server could not be reached.
The ISP probably restricts the number of connections from a single
IP address (either concurrent, or per-min). Apart from reducing resource
use on a busy server, this also makes password-guessing slower, so you
can understand why people might do it. See this from inetd.conf(5) on
$some_other_bsd:
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
Test it from another connection bypassing the soekris if you like,
just have a couple of telnet mail.whatever_isp.com 110 running, you
probably don't even need to login.
Anyone have any idea as to the cause and a solution for this?
If this is what's happening..:
- Ask the ISP if they are restricting like this and see if they
can remove or relax the restriction; they might not realise that
by doing this they're causing problems for people with multiple
POP accounts behind a single NAT, and this is the easiest fix.
(They might not realise they're restricting it at all, even).
- If more IP addresses are available, use them for NATting:
nat on $foo from $foo:network - { 1.1.1.1, 1.1.1.2, 1.1.1.3 }
- Run an internal mail server, either change to SMTP delivery of
email, or run some program like fetchmail so you can ensure only
one a/c is POPped at once.
the processor is basically a PII/266 with 128M of RAM
Well... the geode-based systems (soekris, pcengines) have _much_
worse I/O performance than the equivalent PPro/PII. Integer CPU ops
are closer in speed. The Intels perform much better at electric
heating than the Soekris boards, which can be an advantage or a
disadvantage (:
Packet overload?
I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Thanks, Peter
Re: Packet overload?
Peter Bako wrote: I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Now, I have not seen your pf.conf, but only using a simple ruleset that you describe, my bet is that it is not the firewall that is causing the problem. Does the ISP/mailserver have restrictions by any chance? I cannot imagine that the 4801 would have ANY performance problem in the situation you describe, unless it is en/de-crypting stuff that passes through it. Even so, it would just make stuff go slower - not block stuff. /Alexander
