On 01Jun2021 11:04, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
>Make sure you use 'block return' at least for the imap connections.
I already do:
set block-policy return
[... and the first rule ...]
# reject everything except as detailed below
block return log
>This
>way when the state is dropped the firewall will issue a RST packet to the
>server which will close the connection.
Alas, no. I believe that the _modem_ is dropping its NAT state (or some
upstream stateful switch is getting likewise bored) and that the
connection is idle. The firewall's modem's probably sending an RST to
the client if it tries to use the connection after the modem forgets it,
or something, causing the client to make a new connection to recover.
The state table on the firewall itself seems fine (about 30 connections,
in keeping with the staff and devices in the office).
The problem is server side (cloud mail server). The connection goes
idle, the office modem forgets the NAT, the server never sees _any_
indication that the TCP is no longer valid because it's idle.
>On OpenBSD there is the 'net.inet.tcp.always_keepalive' sysctl to
>enable keepalive by default. So that is something you can enable on the IMAP
>server to force keep-alive on there. Other systems have similar knobs.
The IMAP server is Linux, so I'll look at that. Thanks!
Also, setting this on the firewall and interposing relayd would also do
the same trick. SO that will be my fallback plan.
Thanks,
Cameron Simpson <cs@cskk.id.au>
No comments:
Post a Comment