[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-isp
Subject:    Re: Sendmail
From:       "Daniel O'Callaghan" <danny () hilink ! com ! au>
Date:       1998-11-28 22:57:43
[Download RAW message or body]



On Fri, 27 Nov 1998, Kitt Diebold wrote:

> I'm running Sendmail 8.9.1 and it is REALLY slow opening SMTP sessions from
> machines that are behind a NAT. (The NAT's WAN interface has a real IP
> address, but the machines on the LAN side are using the 192.168.0.x
> addresses).

Add to your nat machine the following ipfw rule.

add 10 reset tcp from any to any 113 in recv ${external_interface}

Sendmail attempts to do an IDENT lookup on the sending machine, by
connecting to port 113.  If the SYN packets to the sender's port 113 are
dropped silently, sendmail can sit waiting for 20 seconds or so.  If you
send a RSET packet back immediately, the mail will start to flow.
Hence, 'deny' is not the right keyword to use.  'unreach' will work for
some Unixes, but not for FreeBSD senders, as FreeBSD does not seem to
believe an ICMP_XXX_UNREACHABLE packet when opening a TCP connection.
'reset' works for every sending OS.

 Danny


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

[prev in list] [next in list] [prev in thread] [next in thread]