[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] mdq multi-threading issues..

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] mdq multi-threading issues..
From: "Paquette, Trevor" <TrevorPaquette@metronet.ca>
Date: Wed, 10 Nov 1999 12:38:58 -0700
    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


Is mdq multi threaded?
I know that when there are a bunch of messages queued up for the
Security Server (in our case a virus scanner), mdq will send up
to 24 concurrent connections to the virus scanner.. however
after that mdq seems to not be able to 'keep up'. It only does 
2 to 5 concurrent connections after that.. even though there are over
50 messages in the spooling directory waiting to go.

With large attachments being sent, sometimes things get queued up the
firewall.. i.e. many R12345678 files in the mail spooling directory (we've
had cases of over
600 messages just sitting there). I know that the problem is not the NT
server that is doing the virus scanning. mdq is only sending files 3 or 4 at
a time,
when it should be streaming 24 files..

I need to somehow tell mdq to send more files to be scanned.. sometimes
mail sits in the mail spooling directory for over 1 hour before being sent
to the
NT server.

How often does mdq go through the files in the spool directory? How can I
keep
mdq 'going full steam' and keep up with what is coming in?


> -----Original Message-----
> From:	Young, Roger [SMTP:youngr@erinet.com]
> Sent:	Saturday, November 06, 1999 9:27 PM
> To:	Fábio Rocha; Anchises Moraes Guimaraes de Paula; Stalvig, Paul;
> fw-1-mailinglist@lists.us.checkpoint.com
> Subject:	Re: [FW1] Traceroute
> 
> 
> Fabio,
> 
> Use the following Services in your rule:
> 
> echo-request
> echo-reply
> time-exceeded
> traceroute
> dest-unreach
> 
> Keep in mind that implementations of traceroute are different between Unix
> and NT. The above services will cover both implementations.  Source and
> Destination are Any/Any. For our less secure Intranet firewalls this rule
> is typically placed first so that the network group can ping and
> traceroute
> at will.
> 
> Roger
> 
> At 08:07 PM 11/05/1999 -0200, Fábio Rocha wrote:
> >
> >> Have youo already checked your  Firewall-1 properties?
> >
> >Yes, I've already checked.
> >
> >> Try just setting "Accept ICMP" to first to see if traceroute works.
> >
> >Yes, it is defined to first.
> >
> >Thanks anyway.
> >Fábio.
> >
> >>
> >> I hope that everything else is passing throught your Firewall, which
> means
> >> that NAT and all basic configurations are ok.
> >>
> >> Good luck,
> >>
> >> > Anchises  M. G. de Paula
> >> > AMERICEL
> >> > I.T. - Coordenador de Segurança de Informações
> >> > email: amoraes@americel.com.br
> >> > Fone: (0xx61) 329 6698
> >> http://www.americel.com.br
> >>
> >>
> >> > -----Original Message-----
> >> > From: Fábio Rocha [SMTP:fpr@support.bozano.com]
> >> > Sent: Friday, November 05, 1999 6:29 PM
> >> > To: Stalvig, Paul; fw-1-mailinglist@lists.us.checkpoint.com
> >> > Subject: Re: [FW1] Traceroute
> >> >
> >> >
> >> > > You need to let ICMP echo-reply and ICMP time-exceeded through for
> >that
> >> > > management station...
> >> >
> >> > My policy allows everything from or to the mngmt station... not just
> >ICMP!
> >> >
> >> > > Traceroute works on a station value.. It sends out the ping (to the
> >> > > recipient) with a value of 1 the first place it gets sends the
> reply
> >> > back
> >> > as
> >> > > a timeout.  Then traceroute pings again with a value of 2, and so
> >on...
> >> >
> >> > Yes, it changes the TTL value on the IP header.
> >> >
> >> > But I think my policy is not the problem... because it allows
> >everything,
> >> > so, it should be working already.
> >> >
> >> > Thanks anyway.
> >> > Fábio.
> >> >
> >> > >
> >> > > Paul
> >> > >
> >> > > -----Original Message-----
> >> > > From: Fábio Rocha [mailto:fpr@support.bozano.com]
> >> > > Sent: Friday, November 05, 1999 2:54 PM
> >> > > To: fw-1-mailinglist@lists.us.checkpoint.com
> >> > > Cc: ubcst01@bozano.com; ubcst08@bozano.com;
> >> > > ubcst05@bozano.com
> >> > > Subject: [FW1] Traceroute
> >> > >
> >> > >
> >> > > HI,
> >> > >
> >> > > Sorry if this question is off-topic but I couldn't find a
> >> > > solution to this
> >> > > yet.
> >> > >
> >> > > I am trying to allow traceroutes through Firewall-1, my
> >> > > network setup is as
> >> > > follows:
> >> > >
> >> > > INTERNAL NETWORK ---- FW1 ---- ROUTER ----- INTERNET
> >> > >     (10.x.y.z)                            (valid ip)
> >> > > (valid ip)
> >> > >
> >> > > The idea is to let a management station in the internal
> >> > > network to
> >> > > traceroute through FW1, out to the Internet. The FW1 box is
> >> > > a SunOS 5.6 host
> >> > > with Firewall-1 3.0 installed.
> >> > >
> >> > > When I try to traceroute from the workstation, the
> >> > > traceroute "gets blind"
> >> > > as soon as it reaches the firewall.
> >> > >
> >> > > The security policy in the Firewall allows everything coming
> >> > > from or going
> >> > > to the management station to go through. There is also a
> >> > > static NAT rule
> >> > > that translates the workstation internal IP to a valid one.
> >> > > The routes and
> >> > > arp entries necessary to proper NAT funcionality ARE there.
> >> > >
> >> > > Does anybody succeeded in allowing traceroutes through FW-1?
> >> > > Any suggestions and/or advices on this?
> >> > >
> >> > > TIA,
> >> > > Fábio Rocha.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> >
> >=========================================================================
> =
> >> > ==
> >> > > ====
> >> > >      To unsubscribe from this mailing list, please see the
> >> > > instructions at
> >> > >
> >> > > http://www.checkpoint.com/services/mailing.html
> >> > >
> >> > >
> >> >
> >=========================================================================
> =
> >> > ==
> >> > > ====
> >> >
> >> >
> >> >
> >> >
> >=========================================================================
> =
> >> > ======
> >> >      To unsubscribe from this mailing list, please see the
> instructions
> >at
> >> >                http://www.checkpoint.com/services/mailing.html
> >> >
> >=========================================================================
> =
> >> > ======
> >
> >
> >
> >=========================================================================
> ===
> >====
> >     To unsubscribe from this mailing list, please see the instructions
> at
> >               http://www.checkpoint.com/services/mailing.html
> >=========================================================================
> ===
> >====
> 
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: Re: [FW1] Changing port number in SMTP Sec server
Next by Date: RE: [FW1] FW-1 report tool.. has anyone?
Prev by thread: RE: [FW1] FW-1 report tool.. has anyone?
Next by thread: [FW1] Thanks -- puzzling routing issue
Index(es):
- Date
- Thread