unable to send e-mail attachments

unable to send e-mail attachments

Post by Don Smit » Sun, 23 Apr 2000 04:00:00



I am using redhat 6.2 with the latest kernel on a firewall. My clients use
outlook and IE. My outbound connection is ADSL using an ALCATEL 1000 modem.
I can surf just fine and send e-mail if it is not too large, but I cannot
send attachments. I get a server time out. I also cannott put large amounts
of text into html forms I get the same error. I am using IPCHAINS an MASQ on
my firewall. Any ideas???
Stumpt
 
 
 

unable to send e-mail attachments

Post by Edward J Kalend » Sun, 23 Apr 2000 04:00:00




Quote:>I am using redhat 6.2 with the latest kernel on a firewall. My clients use
>outlook and IE. My outbound connection is ADSL using an ALCATEL 1000 modem.
>I can surf just fine and send e-mail if it is not too large, but I cannot
>send attachments. I get a server time out. I also cannott put large amounts
>of text into html forms I get the same error. I am using IPCHAINS an MASQ on
>my firewall. Any ideas???
>Stumpt

You should make sure the kernel is compiled with the option to
defragment packets. The IP forwarding code does not always do the
correct thing with packet fragments. Reconstructing a fragmented packet
before processing it prevents this.

 
 
 

unable to send e-mail attachments

Post by Tad » Mon, 24 Apr 2000 04:00:00



Quote:> You should make sure the kernel is compiled with the option to
> defragment packets. The IP forwarding code does not always do the
> correct thing with packet fragments. Reconstructing a fragmented packet
> before processing it prevents this.

I don't think this is a kernel option anymore, you have to do

# echo "1" > /proc/sys/net/ipv4/ip_always_defrag

on the 2.2.x kernels.

Tad

 
 
 

unable to send e-mail attachments

Post by elle.. » Mon, 24 Apr 2000 04:00:00



> I don't think this is a kernel option anymore, you have to do
> # echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> on the 2.2.x kernels.

On some recent systems, it's set via /etc/sysctl.conf.

--

 
 
 

unable to send e-mail attachments

Post by Tad » Mon, 24 Apr 2000 04:00:00



>recent systems, it's set via /etc/sysctl.conf.

Yeah, I just installed RH 6.2 and it is now set that way, but you can still
use the old method.  =)

Tad

 
 
 

unable to send e-mail attachments

Post by Walter Dn » Mon, 24 Apr 2000 04:00:00


On Sat, 22 Apr 2000 15:40:02 -0500, Don Smith,

> I can surf just fine and send e-mail if it is not too large,

  Warning sign...

Quote:> but I cannot send attachments. I get a server time out.

  Another warning sign...

Quote:> I also cannott put large amounts of text into html forms I get the
> same error.

  Woo-oop, woo-oop, woo-oop! Red alert!  Definitely an MTU mismatch.

Quote:> I am using IPCHAINS an MASQ on my firewall. Any ideas???
> Stumpt

  You're using pppoe and/or IPCHAINS is blocking MTU discovery, so
you'll have to do it manually.  To get the current value of MTU for your
various interfaces, execute "ifconfig" (without the quotes).  Note that
you have to run it as root.  Ordinary users can't even see it.

  To find out what MTU your ISP uses you can...
  1) phone the helpful and knowledgable support desk at your ISP <g>
     and ask.
  2) if the staffer doesn't know, you'll have to do it the hard way.
     - pick a machine at your ISP, e.g. the news server
     - run traceroute with the no-fragmentation option and setting a
       long packet length, e.g...
       traceroute -F news.stumpt.net 1500
     - if you get a "too long" error, try a lower size.  "Popular" sizes
       are 1500, 1000, and 576 bytes.
     - once you find a size that works, raise the packet length until it
       fails.  The maximum size that you can push through is your best
       MTU

  You can change MTU manually with the ifconfig command.  I don't think
that you want to do it manually each time you boot.  On my system the
file /etc/sysconfig/network-scripts/ifcfg-eth0 contains...

DEVICE=eth0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes

  Add the line
MTU=1000
  ...or whatever the number is, to your equivalent file.  This has worked
for me on my ppp0 (modem) interface.  I too am running RH 6.2, so I
expect that your file structure is similar.

--

at http://www.waltdnes.org   This message coming to you in living Linux.

 
 
 

unable to send e-mail attachments

Post by elle.. » Mon, 24 Apr 2000 04:00:00




>>recent systems, it's set via /etc/sysctl.conf.
> Yeah, I just installed RH 6.2 and it is now set that way, but you can still
> use the old method.  =)

I just happen to like sysctl better. ;) But seriously, I point it out
for people in a situation similar to mine where it can bite you. For
example:

1. You write a script /etc/rc.d/rc.firewall containing all of the
   sysctl and ipchains commands to contstruct your packet filter.

2. You add a second script, /etc/rc.d/init.d/packetfilter, which
   runs rc.firewall before /etc/rc.d/<runlevel>/network.

3. rc.network runs and resets all of the sysctl paramters.

4. You scratch your head and spend a couple minutes with grep trying
   to figure out how they keep getting mashed. :)

I'm a big fan of the System V init, don't get me wrong. But
historically, the RedHat /etc/sysconfig mess has really been a
headache for me. I much prefer a "standard" single config file to tune
kernel parameters, such as the afformentioned /etc/sysctl.conf.

And, as I said, finding out exactly where your init scripts set things
can prevent it from clobbering your own settings. :)

--

 
 
 

unable to send e-mail attachments

Post by Don Smit » Wed, 26 Apr 2000 04:00:00


Thanks Walter,

You hit it on the head.  It is a conflict with MTU, started scaling down,
finally reset to 1000 and its in solid.

Appreciate all the other good tips I got as well.  One of the most difficult
parts of running IPCHAINS is making sure:
1) You don't conflict in your statements
2) You get the statements in the correct order
3) You make sure the sequence of activation of the network and the firewall
are correct and don't conflict with the desired outcome.

Other than that it's a piece of cake :)

--
Donald R. Smith
Principal Analyst
MTC Huntsville Operations
(Voice) 256-722-5558 (FAX) 256-722-4901

> On Sat, 22 Apr 2000 15:40:02 -0500, Don Smith,

> > I can surf just fine and send e-mail if it is not too large,
>   Warning sign...

> > but I cannot send attachments. I get a server time out.
>   Another warning sign...

> > I also cannott put large amounts of text into html forms I get the
> > same error.
>   Woo-oop, woo-oop, woo-oop! Red alert!  Definitely an MTU mismatch.

> > I am using IPCHAINS an MASQ on my firewall. Any ideas???
> > Stumpt
>   You're using pppoe and/or IPCHAINS is blocking MTU discovery, so
> you'll have to do it manually.  To get the current value of MTU for your
> various interfaces, execute "ifconfig" (without the quotes).  Note that
> you have to run it as root.  Ordinary users can't even see it.

>   To find out what MTU your ISP uses you can...
>   1) phone the helpful and knowledgable support desk at your ISP <g>
>      and ask.
>   2) if the staffer doesn't know, you'll have to do it the hard way.
>      - pick a machine at your ISP, e.g. the news server
>      - run traceroute with the no-fragmentation option and setting a
>        long packet length, e.g...
>        traceroute -F news.stumpt.net 1500
>      - if you get a "too long" error, try a lower size.  "Popular" sizes
>        are 1500, 1000, and 576 bytes.
>      - once you find a size that works, raise the packet length until it
>        fails.  The maximum size that you can push through is your best
>        MTU

>   You can change MTU manually with the ifconfig command.  I don't think
> that you want to do it manually each time you boot.  On my system the
> file /etc/sysconfig/network-scripts/ifcfg-eth0 contains...

> DEVICE=eth0
> IPADDR=192.168.1.1
> NETMASK=255.255.255.0
> ONBOOT=yes

>   Add the line
> MTU=1000
>   ...or whatever the number is, to your equivalent file.  This has worked
> for me on my ppp0 (modem) interface.  I too am running RH 6.2, so I
> expect that your file structure is similar.

> --

> at http://www.waltdnes.org   This message coming to you in living Linux.