On 8/5/10 10:38 PM, Michael Mansour wrote: > > So is this enough to guarantee that the MTU discovery process that is > meant to take place between source (them) and destination (me) is > actually working?
Yes -- but then it is also totally unnecessary since, unless you are silly enough to include a rule that blocks all ICMP, Shorewall always allows those packets even with a DROP or REJECT policy. And that is just a safeguard since those packets are RELATED to an existing connection, they are normally passed by Shorewall-generated rules which ACCEPT packets in the ESTABLISHED or RELATED states. > > This sendmail SYSERR is annoying as it will show up for a week (from > one particular source where no mail will ever come from them - while > most other sources remain fine) and then go away for months while it > works fine, then come back for no apparent reason from the same > sending source for another few days or a week, then go away again. This problem can occur at *any router between your firewall and the remote server*. The only other measure you can take is to set CLAMPMSS=Yes in shorewall.conf; that is only helpful if the MTU of your internet interface is less than that of the interface to your outgoing MTA. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
