>> When this happens, a lot of messages are in the postfix queue with a >> host not found or mx lookup error. Al messages are sent in time, but >> the bounce processing option of mailman reacts on this behavior so >> some members are disabled from the list. >> > > Sounds like some nice flood control. What is you DNS setup? Do you > use the DNS of your ISP or your own? > Could there be som other 'smart' 'firewall' blocking you? > If you run the DNS, are there anything in its logs? > > Ratelimiting on switch?
I'm not much of a firewall expert, so I use the firehol package to generate my rules. I have a "protection strong 100/sec" setting on my wan interface and is producing the following rules for this interface (skip all other rules): # CONF: 49>>> protection invalid\ fragments\ new-tcp-w/o-syn\ icmp-floods\ syn-floods\ malformed-xmas\ malformed-null\ malformed-bad 100/sec 50 /sbin/iptables -A in_internet -m state --state INVALID -j DROP # INFO>>> Creating chain 'pr_internet_fragments' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_fragments /sbin/iptables -t filter -A in_internet -f -j pr_internet_fragments # INFO>>> Generating rules to be protected from packet fragments on 'eth1' for interface 'internet' /sbin/iptables -t filter -A pr_internet_fragments -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PACKET\ FRAGMENTS: /sbin/iptables -t filter -A pr_internet_fragments -j DROP # INFO>>> Creating chain 'pr_internet_nosyn' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_nosyn /sbin/iptables -t filter -A in_internet -p tcp -m state --state NEW \! --syn -j pr_internet_nosyn # INFO>>> Generating rules to be protected from new TCP connections without the SYN flag set on 'eth1' for interface 'internet' /sbin/iptables -t filter -A pr_internet_nosyn -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=NEW\ TCP\ w/o\ SYN: /sbin/iptables -t filter -A pr_internet_nosyn -j DROP # INFO>>> Creating chain 'pr_internet_icmpflood' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_icmpflood /sbin/iptables -t filter -A in_internet -p icmp --icmp-type echo-request -j pr_internet_icmpflood # INFO>>> Generating rules to be protected from ICMP floods on 'eth1' for interface 'internet' /sbin/iptables -t filter -A pr_internet_icmpflood -m limit --limit 100/sec --limit-burst 50 -j RETURN /sbin/iptables -t filter -A pr_internet_icmpflood -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=ICMP\ FLOOD: /sbin/iptables -t filter -A pr_internet_icmpflood -j DROP # INFO>>> Creating chain 'pr_internet_synflood' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_synflood /sbin/iptables -t filter -A in_internet -p tcp --syn -j pr_internet_synflood # INFO>>> Generating rules to be protected from TCP SYN floods on 'eth1' for interface 'internet' /sbin/iptables -t filter -A pr_internet_synflood -m limit --limit 100/sec --limit-burst 50 -j RETURN /sbin/iptables -t filter -A pr_internet_synflood -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=SYN\ FLOOD: /sbin/iptables -t filter -A pr_internet_synflood -j DROP # INFO>>> Creating chain 'pr_internet_malxmas' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_malxmas /sbin/iptables -t filter -A in_internet -p tcp --tcp-flags ALL ALL -j pr_internet_malxmas # INFO>>> Generating rules to be protected from packets with all TCP flags set on 'eth1' for interface 'internet' /sbin/iptables -t filter -A pr_internet_malxmas -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=MALFORMED\ XMAS: /sbin/iptables -t filter -A pr_internet_malxmas -j DROP # INFO>>> Creating chain 'pr_internet_malnull' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_malnull /sbin/iptables -t filter -A in_internet -p tcp --tcp-flags ALL NONE -j pr_internet_malnull # INFO>>> Generating rules to be protected from packets with all TCP flags unset on 'eth1' for interface 'internet' /sbin/iptables -t filter -A pr_internet_malnull -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=MALFORMED\ NULL: /sbin/iptables -t filter -A pr_internet_malnull -j DROP # INFO>>> Creating chain 'pr_internet_malbad' under 'in_internet' in table 'filter' /sbin/iptables -t filter -N pr_internet_malbad /sbin/iptables -t filter -A in_internet -p tcp --tcp-flags SYN\,FIN SYN\,FIN -j pr_internet_malbad # INFO>>> Generating rules to be protected from packets with illegal TCP flags on 'eth1' for interface 'internet' /sbin/iptables -t filter -A in_internet -p tcp --tcp-flags SYN\,RST SYN\,RST -j pr_internet_malbad /sbin/iptables -t filter -A in_internet -p tcp --tcp-flags ALL SYN\,RST\,ACK\,FIN\,URG -j pr_internet_malbad /sbin/iptables -t filter -A in_internet -p tcp --tcp-flags ALL FIN\,URG\,PSH -j pr_internet_malbad /sbin/iptables -t filter -A pr_internet_malbad -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=MALFORMED\ BAD: /sbin/iptables -t filter -A pr_internet_malbad -j DROP Could this be the cause of the disconnect? -- Ariën Huisken _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
