[SM-USERS] login very slowly after iptable firewall is on

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[SM-USERS] login very slowly after iptable firewall is on

Tommy Tang-2
Dear All:
 
I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0 and everything is OK untill I enable the iptable firewall.
After the firewall is enabled, the login comes out just as usual, but after clicking the login button there is nearly no reponse for about 6~7 minutes for the login result window to comes out. If I stop the iptable firewall everything restores to normal. What's the problem? BTW, my IMAP server is the RedHat built-in IMAP server.
 
The mail server is: http://mail.vigoicu.com:8080
 
Best Regards!
Yours Sincerely Tommy
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

ronny-3

Tommy Tang wrote:
> Dear All:
>
> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0 and
> everything is OK untill I enable the iptable firewall.
> After the firewall is enabled, the login comes out just as usual, but
> after clicking the login button there is nearly no reponse for about 6~7
> minutes for the login result window to comes out. If I stop the iptable
> firewall everything restores to normal. What's the problem? BTW, my IMAP

As you can see the problem is not SM, but your iptable configurations.
Search for manuals on how to configure iptables specifically on --dport..

> server is the RedHat built-in IMAP server.
>
> The mail server is: http://mail.vigoicu.com:8080
>
> Best Regards!
> Yours Sincerely Tommy


-------------------------------------------------
David Maina.
Systems Administrator.
PdE-Kenya.
P. O. Box 1239 - 20100.
Nakuru, Kenya.
Telephone:+254-51-850298/850333.
Cell:+254-721-950073.
------------------------------------

"By golly, I'm beginning to think Linux really *is* the best thing since
sliced bread."


-----------------------------------------
Digital Resource Centre.
Karama Estate.
P.O Box 1239- 20100.
Tel:+254-51-850298/850333.
Email:[hidden email].
http://www.drc.co.ke/
"Multi-Skilling."


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tomas Kuliavas
In reply to this post by Tommy Tang-2
> Dear All:
>
> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0 and
> everything is OK untill I enable the iptable firewall.
> After the firewall is enabled, the login comes out just as usual, but
> after clicking the login button there is nearly no reponse for about 6~7
> minutes for the login result window to comes out. If I stop the iptable
> firewall everything restores to normal. What's the problem? BTW, my IMAP
> server is the RedHat built-in IMAP server.
>
> The mail server is: http://mail.vigoicu.com:8080

try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT instead of
DROP.

--
Tomas


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tommy Tang-2

Best Regards!
Yours Sincerely Tommy
----- Original Message -----
From: "Tomas Kuliavas" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, October 18, 2005 8:19 PM
Subject: Re: [SM-USERS] login very slowly after iptable firewall is on


> > Dear All:
> >
> > I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0 and
> > everything is OK untill I enable the iptable firewall.
> > After the firewall is enabled, the login comes out just as usual, but
> > after clicking the login button there is nearly no reponse for about 6~7
> > minutes for the login result window to comes out. If I stop the iptable
> > firewall everything restores to normal. What's the problem? BTW, my IMAP
> > server is the RedHat built-in IMAP server.
> >
> > The mail server is: http://mail.vigoicu.com:8080
>
> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT instead of
> DROP.

These ports are already open.

>
> --
> Tomas
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> --
> squirrelmail-users mailing list
> Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
> List Address: [hidden email]
> List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
> List Info: <a href="https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS">https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS^�隊X���'���u�����!�ל���E�(�� ��z�ky�(�ק��0�Zv�b�ˬ�*'��ݚ�ކ�i��(��b�{'{ ��r�������m��l�諭�fj)n��왨��x%��O��b���ץ�w���i��*�*�zY��Z+��"�/��H����X������,�)��zX�z���v���ʮ��ޖf�����b��,���y�+��޴���
܆+޲m���{ ��ޢ�?��i�a�
躙�ޙ������������ǫ.+-�!�����i��(��~��zw��f���܆+���+�ja��+�h���y.+-"w��i����l���q���z���l�X��)ߣ�*�*�zY��[�z�
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tomas Kuliavas
>>> Dear All:
>>>
>>> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0 and
>>> everything is OK untill I enable the iptable firewall.
>>> After the firewall is enabled, the login comes out just as usual, but
>>> after clicking the login button there is nearly no reponse for about
>>> 6~7 minutes for the login result window to comes out. If I stop the
>>> iptable firewall everything restores to normal. What's the problem?
>>> BTW, my IMAP server is the RedHat built-in IMAP server.
>>>
>>> The mail server is: http://mail.vigoicu.com:8080
>>
>> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT instead
>> of DROP.
>
> These ports are already open.

Show listing of your firewall rules.

iptables -L -n

--
Tomas


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tommy Tang-2
The following is the result of iptables -L:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere            anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:webcache
ACCEPT     udp  --  anywhere             anywhere           udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:domain
ACCEPT     all  --  anywhere             anywhere    ( iptables -A INPUT -i lo -j ACCEPT)

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Best Regards!
Yours Sincerely Tommy
----- Original Message -----
From: "Tomas Kuliavas" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, October 18, 2005 8:58 PM
Subject: Re: [SM-USERS] login very slowly after iptable firewall is on


> >>> Dear All:
> >>>
> >>> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0 and
> >>> everything is OK untill I enable the iptable firewall.
> >>> After the firewall is enabled, the login comes out just as usual, but
> >>> after clicking the login button there is nearly no reponse for about
> >>> 6~7 minutes for the login result window to comes out. If I stop the
> >>> iptable firewall everything restores to normal. What's the problem?
> >>> BTW, my IMAP server is the RedHat built-in IMAP server.
> >>>
> >>> The mail server is: http://mail.vigoicu.com:8080
> >>
> >> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT instead
> >> of DROP.
> >
> > These ports are already open.
>
> Show listing of your firewall rules.
>
> iptables -L -n
>
> --
> Tomas
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> --
> squirrelmail-users mailing list
> Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
> List Address: [hidden email]
> List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
> List Info: <a href="https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS">https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS^�隊X���'���u�����!�ל���E�(�� ��z�ky�(�ק��0�Zv�b�ˬ�*'��ݚ�ކ�i��(��b�{'{ ��r�������m��l�諭�fj)n��왨��x%��O��b���ץ�w���i��*�*�zY��Z+��"�/��H����X������,�)��zX�z���v���ʮ��ޖf�����b��,���y�+��޴���
܆+޲m���{ ��ޢ�?��i�a�
躙�ޙ������������ǫ.+-�!�����i��(��~��zw��f���܆+���+�ja��+�h���y.+-"w��i����l���q���z���l�X��)ߣ�*�*�zY��[�z�
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tomas Kuliavas
>> >>> Dear All:
>> >>>
>> >>> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0
>> and
>> >>> everything is OK untill I enable the iptable firewall.
>> >>> After the firewall is enabled, the login comes out just as usual,
>> but
>> >>> after clicking the login button there is nearly no reponse for
>> about
>> >>> 6~7 minutes for the login result window to comes out. If I stop the
>> >>> iptable firewall everything restores to normal. What's the problem?
>> >>> BTW, my IMAP server is the RedHat built-in IMAP server.
>> >>>
>> >>> The mail server is: http://mail.vigoicu.com:8080
>> >>
>> >> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT
>> instead
>> >> of DROP.
>> >
>> > These ports are already open.
>>
>> Show listing of your firewall rules.
>>
>> iptables -L -n

> The following is the result of iptables -L:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere            anywhere           tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> dpt:ftp-data
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> dpt:webcache
> ACCEPT     udp  --  anywhere             anywhere           udp
> spt:domain
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> spt:domain
> ACCEPT     all  --  anywhere             anywhere    ( iptables -A INPUT
> -i lo -j ACCEPT)

Please follow same reply style as the one that is used in first reply. It
is hard to follow conversation when you top post.

Use REJECT and not DROP. When port is closed, standard computer replies
with icmp port unreachable response. If firewall drops connections, it
causes delays that indicate use of firewall.

Some packets reach end of INPUT table and are dropped by default INPUT
policy. Add 'iptables -A INPUT -j LOG' to your ruleset and check what
packets reach end of table.

When you design firewall ruleset, ruleset should not depend on policy.
Last rule should set wide match that defines your preferred packet
handling policy.

--
Tomas


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
--
squirrelmail-users mailing list
Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [hidden email]
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tommy Tang-2

----- Original Message -----
From: "Tomas Kuliavas" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, October 18, 2005 9:33 PM
Subject: Re: [SM-USERS] login very slowly after iptable firewall is on


> >> >>> Dear All:
> >> >>>
> >> >>> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0
> >> and
> >> >>> everything is OK untill I enable the iptable firewall.
> >> >>> After the firewall is enabled, the login comes out just as usual,
> >> but
> >> >>> after clicking the login button there is nearly no reponse for
> >> about
> >> >>> 6~7 minutes for the login result window to comes out. If I stop the
> >> >>> iptable firewall everything restores to normal. What's the problem?
> >> >>> BTW, my IMAP server is the RedHat built-in IMAP server.
> >> >>>
> >> >>> The mail server is: http://mail.vigoicu.com:8080
> >> >>
> >> >> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT
> >> instead
> >> >> of DROP.
> >> >
> >> > These ports are already open.
> >>
> >> Show listing of your firewall rules.
> >>
> >> iptables -L -n
>
> > The following is the result of iptables -L:
> >
> > Chain INPUT (policy DROP)
> > target     prot opt source               destination
> > ACCEPT     tcp  --  anywhere            anywhere           tcp dpt:ssh
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > dpt:ftp-data
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > dpt:webcache
> > ACCEPT     udp  --  anywhere             anywhere           udp
> > spt:domain
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > spt:domain
> > ACCEPT     all  --  anywhere             anywhere    ( iptables -A INPUT
> > -i lo -j ACCEPT)
>
> Please follow same reply style as the one that is used in first reply. It
> is hard to follow conversation when you top post.
>
> Use REJECT and not DROP. When port is closed, standard computer replies
> with icmp port unreachable response. If firewall drops connections, it
> causes delays that indicate use of firewall.
>
> Some packets reach end of INPUT table and are dropped by default INPUT
> policy. Add 'iptables -A INPUT -j LOG' to your ruleset and check what
> packets reach end of table.
>
> When you design firewall ruleset, ruleset should not depend on policy.
> Last rule should set wide match that defines your preferred packet
> handling policy.
>

I have add 'iptables -A INPUT -j LOG' to the end of the table but found no packet on mail in the log. I think  it is not because packet from SM is dropped. SM fetchs email through IMAP via loopback interface and I have allowed all the packet from loopback interface in my firewall configuration. The symptom is not that SM can't login but logins very slowly. When I remove the rule which allow all the packets via loopback interface, the login is rather quick but the login fails with error message 'Error connecting to IMAP server: localhost.110 : Connection timed out'.

BR
Tommy

> --
> Tomas
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> --
> squirrelmail-users mailing list
> Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
> List Address: [hidden email]
> List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
> List Info: <a href="https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS">https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS^�隊X���'���u�����!�ל���E�(�� ��z�ky�(�ק��0�Zv�b�ˬ�*'��ݚ�ކ�i��(��b�{'{ ��r�������m��l�諭�fj)n��왨��x%��O��b���ץ�w���i��*�*�zY��Z+��"�/��H����X������,�)��zX�z���v���ʮ��ޖf�����b��,���y�+��޴���
܆+޲m���{ ��ޢ�?��i�a�
躙�ޙ������������ǫ.+-�!�����i��(��~��zw��f���܆+���+�ja��+�h���y.+-"w��i����l���q���z���l�X��)ߣ�*�*�zY��[�z�
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tommy Tang-2
In reply to this post by Tomas Kuliavas
----- Original Message -----
From: "Tomas Kuliavas" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, October 18, 2005 9:33 PM
Subject: Re: [SM-USERS] login very slowly after iptable firewall is on


> >> >>> Dear All:
> >> >>>
> >> >>> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0
> >> and
> >> >>> everything is OK untill I enable the iptable firewall.
> >> >>> After the firewall is enabled, the login comes out just as usual,
> >> but
> >> >>> after clicking the login button there is nearly no reponse for
> >> about
> >> >>> 6~7 minutes for the login result window to comes out. If I stop the
> >> >>> iptable firewall everything restores to normal. What's the problem?
> >> >>> BTW, my IMAP server is the RedHat built-in IMAP server.
> >> >>>
> >> >>> The mail server is: http://mail.vigoicu.com:8080
> >> >>
> >> >> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT
> >> instead
> >> >> of DROP.
> >> >
> >> > These ports are already open.
> >>
> >> Show listing of your firewall rules.
> >>
> >> iptables -L -n
>
> > The following is the result of iptables -L:
> >
> > Chain INPUT (policy DROP)
> > target     prot opt source               destination
> > ACCEPT     tcp  --  anywhere            anywhere           tcp dpt:ssh
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > dpt:ftp-data
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > dpt:webcache
> > ACCEPT     udp  --  anywhere             anywhere           udp
> > spt:domain
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > spt:domain
> > ACCEPT     all  --  anywhere             anywhere    ( iptables -A INPUT
> > -i lo -j ACCEPT)
>
> Please follow same reply style as the one that is used in first reply. It
> is hard to follow conversation when you top post.
>
> Use REJECT and not DROP. When port is closed, standard computer replies
> with icmp port unreachable response. If firewall drops connections, it
> causes delays that indicate use of firewall.
>
> Some packets reach end of INPUT table and are dropped by default INPUT
> policy. Add 'iptables -A INPUT -j LOG' to your ruleset and check what
> packets reach end of table.
>
> When you design firewall ruleset, ruleset should not depend on policy.
> Last rule should set wide match that defines your preferred packet
> handling policy.
>

Another information may be helpful to diagnose the problem is that if the login name or password is not correct, the error report window comes out rather quickly
, that is the slow login is only when the login is correct. So I doubt maybe it is the problem of SM.

> --
> Tomas
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> --
> squirrelmail-users mailing list
> Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
> List Address: [hidden email]
> List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
> List Info: <a href="https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS">https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS^�隊X���'���u�����!�ל���E�(�� ��z�ky�(�ק��0�Zv�b�ˬ�*'��ݚ�ކ�i��(��b�{'{ ��r�������m��l�諭�fj)n��왨��x%��O��b���ץ�w���i��0�ʮ��ޖf���������X������,�)��zX�z���v���ʮ��ޖf�����b��,���y�+��޴���
܆+޲m���{ ��ޢ�?��i�a�
躙�ޙ������������ǫ.+-�!�����i��(��~��zw��f���܆+���+�ja��+�h���y.+-"w��i����l���q���z���l�X��)ߣ�*�*�zY��[�z�
Reply | Threaded
Open this post in threaded view
|

Re: [SM-USERS] login very slowly after iptable firewall is on

Tommy Tang-2
In reply to this post by Tomas Kuliavas
----- Original Message -----
From: "Tomas Kuliavas" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, October 18, 2005 9:33 PM
Subject: Re: [SM-USERS] login very slowly after iptable firewall is on


> >> >>> Dear All:
> >> >>>
> >> >>> I have installed SquirrelMail 1.4.5 on Redhat Enterprise Server 3.0
> >> and
> >> >>> everything is OK untill I enable the iptable firewall.
> >> >>> After the firewall is enabled, the login comes out just as usual,
> >> but
> >> >>> after clicking the login button there is nearly no reponse for
> >> about
> >> >>> 6~7 minutes for the login result window to comes out. If I stop the
> >> >>> iptable firewall everything restores to normal. What's the problem?
> >> >>> BTW, my IMAP server is the RedHat built-in IMAP server.
> >> >>>
> >> >>> The mail server is: http://mail.vigoicu.com:8080
> >> >>
> >> >> try unblocking udp/53, tcp/53 and tcp/113 ports. Or use REJECT
> >> instead
> >> >> of DROP.
> >> >
> >> > These ports are already open.
> >>
> >> Show listing of your firewall rules.
> >>
> >> iptables -L -n
>
> > The following is the result of iptables -L:
> >
> > Chain INPUT (policy DROP)
> > target     prot opt source               destination
> > ACCEPT     tcp  --  anywhere            anywhere           tcp dpt:ssh
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > dpt:ftp-data
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
> > ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > dpt:webcache
> > ACCEPT     udp  --  anywhere             anywhere           udp
> > spt:domain
> > ACCEPT     tcp  --  anywhere             anywhere           tcp
> > spt:domain
> > ACCEPT     all  --  anywhere             anywhere    ( iptables -A INPUT
> > -i lo -j ACCEPT)
>
> Please follow same reply style as the one that is used in first reply. It
> is hard to follow conversation when you top post.
>
> Use REJECT and not DROP. When port is closed, standard computer replies
> with icmp port unreachable response. If firewall drops connections, it
> causes delays that indicate use of firewall.
>
> Some packets reach end of INPUT table and are dropped by default INPUT
> policy. Add 'iptables -A INPUT -j LOG' to your ruleset and check what
> packets reach end of table.
>
> When you design firewall ruleset, ruleset should not depend on policy.
> Last rule should set wide match that defines your preferred packet
> handling policy.
>
> --
> Tomas
>

I get the real reason: it is because of the plug-in virus scan, when I remove this plug-in, everything is OK now.

>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> --
> squirrelmail-users mailing list
> Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
> List Address: [hidden email]
> List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
> List Info: <a href="https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS">https://lists.sourceforge.net/lists/listinfo/squirrelmail-usersN�HS^�隊X���'���u�����!�ל���E�(�� ��z�ky�(�ק��0�Zv�b�ˬ�*'��ݚ�ކ�i��(��b�{'{ ��r�������m��l�諭�fj)n��왨��x%��O��b���ץ�w���i��0�ʮ��ޖf���������X������,�)��zX�z���v���ʮ��ޖf�����b��,���y�+��޴���
܆+޲m���{ ��ޢ�?��i�a�
躙�ޙ������������ǫ.+-�!�����i��(��~��zw��f���܆+���+�ja��+�h���y.+-"w��i����l���q���z���l�X��)ߣ�*�*�zY��[�z�