On Sat, 28 Jul 2012 14:42:59 +0000, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Sat, Jul 28, 2012 at 09:10:34AM -0400, Wietse Venema wrote: > > > Thus, VERP increases the number of parallel connections. This may > > result in overflow of state tables in under-powered stateful > > routers, causing them to drop packets that don't match any existing > > state. > > Or perhaps the state tables don't overflow, but rate limits apply > regardless of connection state. In fact that would be correct > behaviour I think. Rate enforcement has little to do with whether > the connection table is full or not... [SOLVED] It was rate limiting kicking in. As it should. I was unaware that Postfix could be so fast while VERP'ing. This postfix setup resides in a fairly modest Xen VPS server. Due to strict policies that we must comply with, it has fairly conservative --limit and --limit-burst settings. And, as expected, when those limits are topped those extra packets get logged and trapped by the final "-A OUTPUT -j DROP"). > I would guess that the OP's iptables configuration unwisely fails > to discriminate between incoming and outgoing traffic. Not in this case. All streams (and not only INPUT and OUTPUT) are fully discrete, have their own needs and their own policies. > The solution is to exempt traffic sent from the machine from the rate > controls. In 2012, in a server facing the net and running other services besides mail, I would not call it a safe bet. In the event (that must be accounted for) of an intrusion, one should consider that a syn flood DOS isn't an exclusive of the INPUT stream. Thank you all, M.