From owner-freebsd-ipfw Fri Jan 21 13:41:35 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from zero.arkaine.com (zero.arkaine.com [206.217.210.40]) by hub.freebsd.org (Postfix) with ESMTP id 5969215542 for ; Fri, 21 Jan 2000 13:41:32 -0800 (PST) (envelope-from andre@arkaine.com) Received: from s.arkaine.com (s.arkaine.com [192.168.10.10]) by zero.arkaine.com (8.9.3/8.9.3) with ESMTP id RAA05339; Fri, 21 Jan 2000 17:37:00 -0500 (EST) (envelope-from andre@arkaine.com) Received: by s.arkaine.com with Internet Mail Service (5.5.2650.21) id ; Fri, 21 Jan 2000 16:44:34 -0500 Message-ID: <6C191944837ED311863A00104BC7598F7752@s.arkaine.com> From: Andre Chang To: "'Rodney W. Grimes'" , oogali@intranova.net Cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: New Firewall Date: Fri, 21 Jan 2000 16:44:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Well I checked up on the remote machines and they are mostly just SMTP relay hosts for different domains, nothing special. I am dropping all ICMP types other than 0,3,8 and 11 on that machine. Considering that I am leaving ping and traceroute open, the machine are just secondary mail server in case the primary mail server is unreachable. It's primary role is DNS. It remains to be my own decision if I want the machine to respond to ICMP type 3.4 I'd rather the machine unable to fulfill it's secondary tasks for some sites than opening it up to possible DoS which would affect it's primary task. -- Andre. -----Original Message----- From: Rodney W. Grimes [mailto:freebsd@gndrsh.dnsmgr.net] Sent: Thursday, January 20, 2000 12:41 PM To: oogali@intranova.net Cc: andre@arkaine.com; sh@eclipse.net.uk; briang@expnet.net; isp@FreeBSD.ORG; freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall > I'm not sure what he meant by ICMP fragmentation-needed messages, but > yes, ICMP is needed for reliable communication and faster communication > (primarily unreachables), so you can allow ICMP to pass through but I > wouldn't recommend it after seeing 24Mbps smurfs come through... > > And in your case Andre, ICMP fragmentation has nothing to do with your > sendmail problem, that shows that your connection is breaking/dropping > after a while, maybe the remote side is closing the connection > prematurely...check it out by telnetting to the remote host on port 25 and > imitate a regular SMTP transaction to find the problem... If Andre is filtering ICMP 3.4 (ICMP_UNREACH.ICMP_UNREACH_NEEDFRAG) it certainly could have to do with his sendmail problem. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message