Slow SMTP server access using IPCHAINS

Slow SMTP server access using IPCHAINS

Post by Dan Ambor » Mon, 19 Feb 2001 04:24:34



When I try sending an email message from my Windows box through my Linux
box running IPCHAINS its really slow.  Its only slow using when sending
email though to my ISPs SMTP mail server.  Everything else is really
fast.  I am running Redhat 6.2 and its been like this for a while.  I
even tried reinstalling Redhat 6.2 but it didn't help.  Any ideas?

--

Dan Amborn

Yoda of Borg are we: Futile is resistance. Assimilate you, we will.

 
 
 

Slow SMTP server access using IPCHAINS

Post by Rod Smi » Tue, 20 Feb 2001 00:02:36


[Posted and mailed]



Quote:

> When I try sending an email message from my Windows box through my Linux
> box running IPCHAINS its really slow.  Its only slow using when sending
> email though to my ISPs SMTP mail server.  Everything else is really
> fast.  I am running Redhat 6.2 and its been like this for a while.  I
> even tried reinstalling Redhat 6.2 but it didn't help.  Any ideas?

This could be caused by using a DENY rule on the ident server port
(113). Some servers try to determine the identity of the user who's
making a connection. This can make tracking perpetrators of break-in
attempts and the like easier. The problem is that a DENY rule just drops
the packet, so the sending system thinks it's been lost. If you change
that rule to REJECT, or open a hole in your firewall to let it through
(with or without the identd server running on your system), the problem
will go away (if I'm right about the cause, of course).

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

 
 
 

Slow SMTP server access using IPCHAINS

Post by Dan Ambor » Tue, 20 Feb 2001 02:37:47




>This could be caused by using a DENY rule on the ident server port
>(113). Some servers try to determine the identity of the user who's
>making a connection. This can make tracking perpetrators of break-in
>attempts and the like easier. The problem is that a DENY rule just drops
>the packet, so the sending system thinks it's been lost. If you change
>that rule to REJECT, or open a hole in your firewall to let it through
>(with or without the identd server running on your system), the problem
>will go away (if I'm right about the cause, of course).

Thank you!  This worked.  I knew right away when I read this that I was
blocking that port.  I changed it to a REJECT which sped it up but the
real speed increase came when I opened it entirely.  Are there any
security vulnerabilities that I am exposing myself too with leaving this
port open?

--

Dan Amborn

Yoda of Borg are we: Futile is resistance. Assimilate you, we will.

 
 
 

Slow SMTP server access using IPCHAINS

Post by D Knisel » Fri, 23 Feb 2001 02:53:30


I was hoping this would solve a very similar problem that I have.  When I
saw the ICMP 113, I was sure that was going to be the problem, but it didn't
fix it, and there are no ICMP packets in the traces.

I am getting extremely slow response with IMAP (port 143) when masquerading.
The symptoms are always the same - the IMAP connection started out running
quickly, and then stops suddenly.  The TCP exchanges all appear normal, but
huge delays start occurring until the connection eventually times out.  No
matter how long the timeout is set, the connection always breaks (at the
IMAP layer) eventually.  But, TCP is always happy.

The same client and server communicate just fine through Windows 2000 NAT.
Everything else seems to work just fine.  The client is Outlook 2000, and
the server is Exchange (2000, I think).

Here is another interesting strange thing.  I tried setting up a PPTP VPN
connection, which I can do to just fine (I have installed the PPTP masq
patches).  The same IMAP timeout occurs over PPTP.  But, if I use SSH to
redirect port 143 to a public UNIX box, and from there to the IMAP server,
everything works just fine.  So, the connection works tunneled through an
SSH tunnel, but not through a PPTP VPN tunnel between the same client and
server.

I'm sure that there is some kind of strange protocol bug in the Microsoft
client or server.

Any other ideas?

D. Knisely




>This could be caused by using a DENY rule on the ident server port
>(113). Some servers try to determine the identity of the user who's
>making a connection. This can make tracking perpetrators of break-in
>attempts and the like easier. The problem is that a DENY rule just drops
>the packet, so the sending system thinks it's been lost. If you change
>that rule to REJECT, or open a hole in your firewall to let it through
>(with or without the identd server running on your system), the problem
>will go away (if I'm right about the cause, of course).

Thank you!  This worked.  I knew right away when I read this that I was
blocking that port.  I changed it to a REJECT which sped it up but the
real speed increase came when I opened it entirely.  Are there any
security vulnerabilities that I am exposing myself too with leaving this
port open?

--

Dan Amborn

Yoda of Borg are we: Futile is resistance. Assimilate you, we will.

 
 
 

Slow SMTP server access using IPCHAINS

Post by Rod Smi » Fri, 23 Feb 2001 12:32:45




Quote:> I was hoping this would solve a very similar problem that I have.  When I
> saw the ICMP 113, I was sure that was going to be the problem, but it didn't
> fix it, and there are no ICMP packets in the traces.

The named server runs on *TCP* port 113, not ICMP port 113.

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

 
 
 

Slow SMTP server access using IPCHAINS

Post by Rod Smi » Fri, 23 Feb 2001 12:39:24




Quote:> I was hoping this would solve a very similar problem that I have.  When I
> saw the ICMP 113, I was sure that was going to be the problem, but it didn't
> fix it, and there are no ICMP packets in the traces.

The identd server runs on *TCP* port 113, not ICMP port 113.

--

http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration

 
 
 

1. DENY in ipchain causes slow SMTP server access due to identd process ??

Dear all,

Several months ago, I read in some Linux newsgroup that in a masquraded
environment,  an ipchains rule with DENY will slow down access to SMTP server
(sendmail) because of the identd process on TCP 113.  Is it really the case?

Would someone please fill me in the detail or point me to the relevant
documentations on this topics?  I can't recall exactly where I read that.

Many thanks.

-umb

2. Usercode/password validation

3. slow access to my web server using ipchains

4. SUMO scsi controller ?= AHA 1540/1542?

5. SMTP on RH 7.3 Distro, using POP and SMTP on another server

6. activ ISDN-Box

7. using MAIL/MAILX to access smtp server

8. Redirect based on client ip ?

9. Slow access to virtual servers using Apache 1.0 and vif.c

10. Slow when using proxy compared to directly accessing the server

11. Sending emails from a AIX server using a smtp server

12. IPCHAINS forwarding and/or 2nd nic slowing down Internet access

13. Slow telnet, POP3, SMTP through ISDN router using DIAT