Re: Open BSD 3.9 Pf issue with email with attachments.
On 06/26/2006 09:17:33 AM, Ajith Kumar wrote: "Ajith Kumar" <[EMAIL PROTECTED]> writes: I am able to send and receive mails . But if there is any attachment which is bigger than 64 KB, i am not able to send. "Peter N. M. Hansteen" Writes : >My first impulse is to look at what happens elsewhere, in no >particular order, any content filtering or for that matter hard >message size limits, network congestion on the way there causing >timeouts etc. "Ajith Kumar" <[EMAIL PROTECTED]> writes: There is no problem in n/w congestion.If i disable pf by " pfctl -d " I am able to send mails with attachments. There is no problem in mail server also. This has a feel to it of what happens when you have a pf.conf file that keeps state but does not use "flags S/SA", so (if I understand correctly) the state tracking mechanisim gets out of wack because it starts tracking in the middle of a flow. There was something about this on the pf list in the last couple of months. Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
RE: Open BSD 3.9 Pf issue with email with attachments.
On 06/26/2006 09:17:33 AM, Ajith Kumar wrote: > "Ajith Kumar" <[EMAIL PROTECTED]> writes: > > I am able to send and receive mails . But if there is any > attachment > which > is bigger than 64 KB, i am not able to send. > > "Peter N. M. Hansteen" Writes : > > >My first impulse is to look at what happens elsewhere, in no > >particular order, any content filtering or for that matter hard > >message size limits, network congestion on the way there causing > >timeouts etc. > > "Ajith Kumar" <[EMAIL PROTECTED]> writes: > > There is no problem in n/w congestion.If i disable pf by " pfctl -d " > I am > able to send mails > with attachments. There is no problem in mail server also. This has a feel to it of what happens when you have a pf.conf >>file that keeps state but does not use "flags S/SA", so >>(if I understand correctly) the state tracking mechanisim gets out of wack because it starts tracking in the middle of a flow. >>There was something about this on the pf list >>in the last couple of months. I had modified the entry like this pass in quick log on fxp0 from any to x.x.x.x keep state flags S/SA #1 pass out quick log on fxp1 from any to x.x.x.x keep state flags S/SA #2 pass in quick log on fxp1 from x.x.x.x to any keep state flags S/SA #3 pass out quick log on fxp0 from x.x.x.x to any keep state flags S/SA #4 ( fxp0 is internal interface card. fxp1 is external interface card) where x.x.x.x is ip address of mail server.Still I am not able to send mail with big attachments. I am able to send and receive other mails. I subscribed to the mail list yesterday only :( Regards, Ajith "SASKEN RATED Among THE Top 3 BEST COMPANIES TO WORK FOR IN INDIA - SURVEY 2005 conducted by the BUSINESS TODAY - Mercer - TNS India" SASKEN BUSINESS DISCLAIMER This message may contain confidential, proprietary or legally Privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited ("Sasken") unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email
Re: Open BSD 3.9 Pf issue with email with attachments.
On Tue, Jun 27, 2006 at 09:17:18AM +0530, Ajith Kumar wrote: > I had modified the entry like this > > pass in quick log on fxp0 from any to x.x.x.x keep state flags S/SA #1 > pass out quick log on fxp1 from any to x.x.x.x keep state flags S/SA #2 > > pass in quick log on fxp1 from x.x.x.x to any keep state flags S/SA #3 > pass out quick log on fxp0 from x.x.x.x to any keep state flags S/SA #4 > > ( fxp0 is internal interface card. fxp1 is external interface card) > > where x.x.x.x is ip address of mail server.Still I am not able to send mail > with big attachments. > I am able to send and receive other mails. The test with disabling pf was a good one. Next, enable pf but load an empty ruleset (pfctl -Fa, pfctl -e) and retry. Still working? If so, load only the four rules you pasted above, retry. Still working? If so, take a good look at your other rules. The difference between your real ruleset and the four rules quoted above must explain the breakage. Post the real ruleset if you can't spot it. If any other rule matches and creates state (for those TCP connections), make sure all states are created on the initial SYN only. If connections break with an empty ruleset or just the four rules above, enable debug logging (pfctl -xm), reproduce the problem, then check /var/log/messages for entries from pf. Post them. Run pfctl -si before and after reproducing the problem, what counters are increasing? Post both outputs. Daniel
Re: Open BSD 3.9 Pf issue with email with attachments.
On Tue, 27 Jun 2006 09:56:46 +0200 Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > On Tue, Jun 27, 2006 at 09:17:18AM +0530, Ajith Kumar wrote: > > > I had modified the entry like this > > > > pass in quick log on fxp0 from any to x.x.x.x keep state flags S/ > > SA #1 pass out quick log on fxp1 from any to x.x.x.x keep state > > flags S/ SA #2 > > > > pass in quick log on fxp1 from x.x.x.x to any keep state flags > > S/SA #3 pass out quick log on fxp0 from x.x.x.x to any keep > > state flags S/SA #4 > > > > ( fxp0 is internal interface card. fxp1 is external interface card) > > > > where x.x.x.x is ip address of mail server.Still I am not able to > > send mail with big attachments. > > I am able to send and receive other mails. > > The test with disabling pf was a good one. > > Next, enable pf but load an empty ruleset (pfctl -Fa, pfctl -e) and > retry. Still working? > > If so, load only the four rules you pasted above, retry. Still > working? > > If so, take a good look at your other rules. The difference between > your real ruleset and the four rules quoted above must explain the > breakage. Post the real ruleset if you can't spot it. If any other > rule matches and creates state (for those TCP connections), make sure > all states are created on the initial SYN only. > > If connections break with an empty ruleset or just the four rules > above, enable debug logging (pfctl -xm), reproduce the problem, then > check /var/log/messages for entries from pf. Post them. > > Run pfctl -si before and after reproducing the problem, what counters > are increasing? Post both outputs. > > Daniel I just wanted throw this into the debugging mix as well, anywhere you have a block statement add 'log' to the statement. Then you can run `tcpdump - n -e - vv -i pflog0` and it will list the rule number that the packet matched in the ruleset. Tim Donahue