Re: Packet overload?
Well it is a simple ruleset (see below). As for the ISP blocking stuff - not likely, since the email server is run by me at another location. Since I have more users connecting to this server from other locations I've ruled the problem out from that end. It is only from this one location that this problem occurs - # # cat /etc/pf.conf # # pf.rules # #-Interfaces--- # # sis0 - external # sis1 - internal # sis2 - not used # #-Variables # ExtIF=sis0 IntIF=sis1 IntRange=192.168.22.0/24 table scanners persist file /etc/scanners # #-Options-- # # #-Normalize Traffic # scrub in on $ExtIF all #scrub out on $ExtIF all random-id # #-NAT Rules # nat on $ExtIF from $IntRange to any - $ExtIF nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $IntIF proto tcp from any to any port 21 - 127.0.0.1 port 8021 # #-Antispoof # antispoof for { $ExtIF, $IntIF} # #-Firewall Rules--- # # Drop IPv6 packets immediately block in quick inet6 all block out quick inet6 all # Drop SSH port scanners immediately block quick from scanners # Block in all inbound and outbound packets block in on $ExtIF all block out on $ExtIF all # Anchor for FTP Proxy anchor ftp-proxy/* # Drop hackers block in quick on $ExtIF inet proto tcp from any to any flags /SFRA block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA block in quick on $ExtIF inet proto tcp from any to any flags SAFRU/SAFRU block in quick on $ExtIF inet proto tcp from any to any flags SF/SF block in quick on $ExtIF inet proto tcp from any to any flags SR/SR block in on $ExtIF inet proto tcp from any to any flags S/SFRA block in on $ExtIF inet proto tcp from any to any flags SA/SFRA # Allow SSH in pass in quick log on $ExtIF inet proto tcp from any to any port 22 modulate state (max-src-conn-rate 3/15, overload scanners flush global) # Allow normal traffic out pass out on $ExtIF inet proto tcp from any to any modulate state pass out on $ExtIF inet proto udp from any to any keep state pass out on $ExtIF inet proto icmp from any to any keep state - That's it! Peter -Original Message- From: Alexander Hall [mailto:[EMAIL PROTECTED] Sent: Monday, June 19, 2006 9:07 PM To: Peter Bako Cc: misc@openbsd.org Subject: Re: Packet overload? Peter Bako wrote: I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Now, I have not seen your pf.conf, but only using a simple ruleset that you describe, my bet is that it is not the firewall that is causing the problem. Does the ISP/mailserver have restrictions by any chance? I cannot imagine that the 4801 would have ANY performance problem in the situation you describe, unless it is en/de-crypting stuff that passes through it. Even so, it would just make stuff go slower - not block stuff. /Alexander
Re: Packet overload?
On 2006/06/19 20:39, Peter Bako wrote: However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. The ISP probably restricts the number of connections from a single IP address (either concurrent, or per-min). Apart from reducing resource use on a busy server, this also makes password-guessing slower, so you can understand why people might do it. See this from inetd.conf(5) on $some_other_bsd: {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] Test it from another connection bypassing the soekris if you like, just have a couple of telnet mail.whatever_isp.com 110 running, you probably don't even need to login. Anyone have any idea as to the cause and a solution for this? If this is what's happening..: - Ask the ISP if they are restricting like this and see if they can remove or relax the restriction; they might not realise that by doing this they're causing problems for people with multiple POP accounts behind a single NAT, and this is the easiest fix. (They might not realise they're restricting it at all, even). - If more IP addresses are available, use them for NATting: nat on $foo from $foo:network - { 1.1.1.1, 1.1.1.2, 1.1.1.3 } - Run an internal mail server, either change to SMTP delivery of email, or run some program like fetchmail so you can ensure only one a/c is POPped at once. the processor is basically a PII/266 with 128M of RAM Well... the geode-based systems (soekris, pcengines) have _much_ worse I/O performance than the equivalent PPro/PII. Integer CPU ops are closer in speed. The Intels perform much better at electric heating than the Soekris boards, which can be an advantage or a disadvantage (:
Packet overload?
I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Thanks, Peter
Re: Packet overload?
Peter Bako wrote: I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Now, I have not seen your pf.conf, but only using a simple ruleset that you describe, my bet is that it is not the firewall that is causing the problem. Does the ISP/mailserver have restrictions by any chance? I cannot imagine that the 4801 would have ANY performance problem in the situation you describe, unless it is en/de-crypting stuff that passes through it. Even so, it would just make stuff go slower - not block stuff. /Alexander