[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPF rules
On 7/1/21 10:17 PM, Todd Gruhn wrote:
I like the point about DNS -- sooo if I accept tcp/53 and udp/53, that
can speed things
On Thu, Jul 1, 2021 at 10:03 PM Todd Gruhn <tgruhn2%gmail.com@localhost> wrote:
How would I know if IPF is the problem?
I stole the IPF rules from 2 of the IPF examples in /usr/share/examples/ipf
On Thu, Jul 1, 2021 at 9:39 PM Brett Lymn <blymn%internode.on.net@localhost> wrote:
On Thu, Jul 01, 2021 at 07:05:13PM -0400, Todd Gruhn wrote:
Is there a way to order IPF-rules so I can get on gmail quicker?
What about speeding up network access in general?
A couple of thoughts:
1) are you sure it is ipf causing the issue? How is gmail without the
firewall on? I wouldn't expect a performance impact from ipf unless
your firewalling is very complex.
2) are you sure your rules are correct? A particularly favourite
hobby-horse of mine is people blocking DNS over tcp/53 due to the
totally WRONG belief that only dns zone transfers use tcp/53. This is
WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet
then the DNS server will reply to the client telling it to try over tcp.
If your firewall doesn't allow that to happen there may be delays in
name resolution which could cause the appearance that gmail is slow.
Sent from my NetBSD device.
"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
I think you would only need to allow inbound connections to tcp port 53
if you were running a nameserver on your machine. You would want to make
sure that you allow outbound connections on tcp port 53 from your
nameserver in any case. Are you using your own nameserver or are you
using another machine for name resolution?
If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver
ip> 53" will let you know if you can connect to that server on port 53.
(-v = verbose, -w 4 = 4 second timeout so you don't wait forever). If
there's a network problem the connection will timeout or you'll get an
error. Here are examples:
# nc -w 4 -v 126.96.36.199 53
nc: connect to 188.8.131.52 port 53 (tcp) failed: Connection timed out
# nc -w 4 -v 184.108.40.206 53
Connection to 220.127.116.11 53 port [tcp/domain] succeeded!
# nc -w 4 -v <local ip> 53
nc: connect to <local ip> port 53 (tcp) failed: Connection refused
Use Ctrl-D to close nc if a connection is made. If you're not sure what
nameserver you're using then "resolvconf -l" should show you. I'm
simplifying somewhat as things can be (much) more complicated. But
hopefully I've made things somewhat clearer. <crosses fingers>
And I use mail.google.com somewhat often and it goes to the same place
Main Index |
Thread Index |