Mailing List Archive

On Wed, 22 May 2002, Randy Bush wrote:

> <*** very long pause, about thirty seconds ***>

faq


--
[-]

Are you connecting through a firewall that blackholes instead of
refuses ident requests Look for rfc1413 in the exim documentation
to see how to turn off identd requests for certain hosts.

You can also a look at the faq.
http://www.exim.org/exim-html-4.00/doc/html/FAQ_19.html#TOC260

Fred

On Wed, 22 May 2002, Randy Bush wrote:

RB> so what might be causing the loooong pause
RB>
RB> % telnet localhost 25
RB> Trying 127.0.0.1...
RB> Connected to localhost.
RB> Escape character is '^]'.
RB> <*** very long pause, about thirty seconds ***>
RB> 220 barre.foux.edu ESMTP Exim 4.04 Wed, 22 May 2002 11:07:45 -0700
RB> quit
RB> 221 barre.foux.edu closing connection
RB> Connection closed by foreign host.
RB>
RB> i don't get it to all other hosts, just some. i don't get it from
RB> another host to this host.
RB>
RB> same on another exim4 host.
RB>
RB> dns for the hostname, the in-addr.arpa for the ip address,
RB> localhost, 1.0.0.127.in-addr.arpa, etc. are all fine.
RB>
RB> randy
RB>
RB> --
RB>
RB> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
RB>
RB>

--
Le dernier mail que je vous ai envoye contenait surement un virus
extremement dangereux. Pour vous en debarasser vous devez re-formater
et re-installer votre Windows.
echo "bsdhost@fred-net" | sed 's/\(.*\)@\(.*\)-\(.*\)/\2@\1.\3/'

> Are you connecting through a firewall

gawd no! aside from my abhoring firewalls, did you actually
look at the command?

% telnet localhost 25
^^^^^^^^^
> refuses ident requests

bingo! thanks!!!

randy

--
On 2002-05-22 at 12:31 -0700, Randy Bush wrote:
> > Are you connecting through a firewall
>
> gawd no! aside from my abhoring firewalls, did you actually
> look at the command?
>
> % telnet localhost 25
> ^^^^^^^^^
> > refuses ident requests
>
> bingo! thanks!!!

Uhm, that's strange. Are you sure that the host isn't doing any kind of
packet filtering?

I know full well that _you're_ familiar with the three-way handshake and
wouldn't presume to teach you to suck the rotten eggs of networking. ;^)
But in this case ... if there's no packet filtering then the RST should
come back and there would be no delay.

Delay 30s => default timeout reached => no IDENT, no RST, nada.
--
Genius without education is like silver in the mine. -- Ben Franklin
--
[ Content of type application/pgp-signature deleted ]
--

>> % telnet localhost 25
>> ^^^^^^^^^
>>> refuses ident requests
>>
>> bingo! thanks!!!
> Uhm, that's strange. Are you sure that the host isn't doing any kind of
> packet filtering?

% ipfw list
00400 allow ip from any to any
65535 deny ip from any to any

> Delay 30s => default timeout reached => no IDENT, no RST, nada.

that's the path my mind followed, clearly incorrectly. so i enabled
authd for the moment, what the heck.

randy

--
On 2002-05-23 at 10:53 -0700, Randy Bush wrote:
[ proof not filtering ]
> > Delay 30s => default timeout reached => no IDENT, no RST, nada.
>
> that's the path my mind followed, clearly incorrectly. so i enabled
> authd for the moment, what the heck.

Going out on a limb here ... got any IPv6 enabled on your system?

I'm guessing that the interaction of dual-routes depending upon
protocol, and IDENT checking, may not have been thoroughly stress-tested
yet.
--
The Tao that is seen
Is not the true Tao, until
You bring fresh toner.
--
[ Content of type application/pgp-signature deleted ]
--

> [ proof not filtering ]
>>> Delay 30s => default timeout reached => no IDENT, no RST, nada.
>> that's the path my mind followed, clearly incorrectly. so i
>> enabled authd for the moment, what the heck.
> Going out on a limb here ... got any IPv6 enabled on your system?

hmmmm. how did you guess?

> I'm guessing that the interaction of dual-routes depending upon
> protocol, and IDENT checking, may not have been thoroughly
> stress-tested yet.

i guess it may have been tested a bit now <grin>

randy

--
On 2002-05-23 at 10:59 -0700, Randy Bush wrote:
> hmmmm. how did you guess?

Aside from your name being on some of the IPv6/DNS RFCs & drafts? ;^)

(& vague memories of various NANOG posts; I do remember some things from
amongst the deluge of drivel and rantings of various people; for my
sins, I have to read NANOG as part of my job)

> > I'm guessing that the interaction of dual-routes depending upon
> > protocol, and IDENT checking, may not have been thoroughly
> > stress-tested yet.
>
> i guess it may have been tested a bit now <grin>

Do you know if the original connection was over IPv4 or IPv6? (Since I
don't know whether your "localhost" is 127.0.0.1 or ::1)

If you don't have authd turned on, do you get delays with a
"telnet -4 localhost 25"? With a -6 connection?

ipfw => FreeBSD ?

We're not using IPv6 at my employer. Yet. Perhaps some experiments
later this year. So I'm not in a position to help test.

But if you can help narrow it down, past evidence suggests Phil Hazel
will be very co-operative in fixing the bugs. :^)
--
Turing Machine (n.): Harley Davidson.
--
[ Content of type application/pgp-signature deleted ]
--

> Aside from your name being on some of the IPv6/DNS RFCs & drafts? ;^)

against our wills, papa! against our wills! (g&s)

> I have to read NANOG as part of my job

'fess up. you're just another machochist

> Do you know if the original connection was over IPv4 or IPv6? (Since I
> don't know whether your "localhost" is 127.0.0.1 or ::1)

localhost is only 127.0.0.1

> If you don't have authd turned on, do you get delays with a
> "telnet -4 localhost 25"?

yup

> With a -6 connection?

localhost: No address associated with hostname

> ipfw => FreeBSD ?

4.6-stable, a few weeks old

> But if you can help narrow it down, past evidence suggests Phil Hazel
> will be very co-operative in fixing the bugs. :^)

he just happens to have an old account on the box <grin>

randy

--
On 2002-05-23 at 11:20 -0700, Randy Bush wrote:
> > I have to read NANOG as part of my job
>
> 'fess up. you're just another machochist

Entirely unrelated!

There's masochism, and there's repeatedly plunging your head into a
bucket of bovine effluent.

> > If you don't have authd turned on, do you get delays with a
> > "telnet -4 localhost 25"?
>
> yup

Any chance of getting a network dump to verify that the reverse
connection is only being attempted with IPv4?

> > ipfw => FreeBSD ?
>
> 4.6-stable, a few weeks old

*blinks*

4.5-STABLE is out. 4.6 is still in Release Candidate stage, isn't it?

> > But if you can help narrow it down, past evidence suggests Phil Hazel
> > will be very co-operative in fixing the bugs. :^)
>
> he just happens to have an old account on the box <grin>

Bonus.
--
Quis custodiet ipsos custodiet? [ Who watches the watchers? ]
--
[ Content of type application/pgp-signature deleted ]
--

>>> If you don't have authd turned on, do you get delays with a
>>> "telnet -4 localhost 25"?
>> yup
> Any chance of getting a network dump to verify that the reverse
> connection is only being attempted with IPv4?

hmmm. i am feeling stoopid. no bpf on loopback.

>> 4.6-stable, a few weeks old
> 4.5-STABLE is out. 4.6 is still in Release Candidate stage, isn't it?

picky picky

FreeBSD 4.6-PRERELEASE (FOUX) #16: Sun May 5 15:43:21 PDT 2002

randy

On Thu, 23 May 2002, Randy Bush wrote:

> > Do you know if the original connection was over IPv4 or IPv6? (Since I
> > don't know whether your "localhost" is 127.0.0.1 or ::1)
>
> localhost is only 127.0.0.1

... but wasn't it you that was involved in a recent exchange about
"preferring IPv6 when possible" ? On my Solaris 8 box, built with IPv6
enabled, I see the following:

$ telnet localhost
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

(of course, telnetd isn't running). There's no ::1 in /etc/hosts, which
confused me for a bit, until I remembered there's a new file callet
/etc/inet/ipnodes. But I guess this is all be very Solaris-specific.

> > But if you can help narrow it down, past evidence suggests Phil Hazel
> > will be very co-operative in fixing the bugs. :^)
>
> he just happens to have an old account on the box <grin>

But is about to go on vacation for a week. <wide grin>


--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Thu, May 23, 2002 at 11:20:00AM -0700, Randy Bush wrote:
> localhost is only 127.0.0.1

are you sure about this?

> > ipfw => FreeBSD ?
> 4.6-stable, a few weeks old

What is the output of: ip6fw list ?

MBM

--
Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/

>>> Do you know if the original connection was over IPv4 or IPv6? (Since I
>>> don't know whether your "localhost" is 127.0.0.1 or ::1)
>> localhost is only 127.0.0.1
> ... but wasn't it you that was involved in a recent exchange about
> "preferring IPv6 when possible" ? On my Solaris 8 box, built with IPv6
> enabled, I see the following:
> $ telnet localhost
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> telnet: Unable to connect to remote host: Connection refused

but localhost is a dns (or /etc/hosts) lookup, and is only defined
as 127.0.0.1 in my case.

Phil Pennock <Phil.Pennock@globnix.org> helped suss this one out.
the issue was an ident not getting a rst because the /etc/rc.conf
had

tcp_restrict_rst="YES" # Set to YES to restrict emission of RST

randy

At 11:20 -0700 5/23/2002, Randy Bush wrote:
>> ipfw => FreeBSD ?
>
>4.6-stable, a few weeks old

Also found in Mac OS X; given the FreeBSD underpinnings, that's not
surprising.

Results-based testing (not needed in this instance, it seems):

rfc1413_query_timeout = <something different from what it was>

Does the delay change accordingly?

--John

--
John Baxter jwblist@olympus.net Port Ludlow, WA, USA