Hi all, I have 1 windoze client accessing a squid proxy allwing pasv ftp connections. The client 10.0.0.180 is configured like this: default gw 10.0.0.191 proxy settings in ie5: 10.0.0.191 port 3128 for all protocols. the ftp conneting speed is painful slow. The windoze 2k box first tries to have ftp routed over 10.0.0.191, then it realizes (due to the rejected packtes which produces icmp dest unreachables) it has to use the proxy's port 3128. Then it connects after ages of waiting to the ftp server in pasv mode. Trying to change directory on a ftp server takes up to several minutes of waiting. In case I remove the default gw setting from win2k client's tcp/ip settings the ftp connecting speed is ok. How can I tell windoze 2k or ie5 to first take a look into ie5 proxy settings and if successless try to connect via routing? Anybody got an idea? Thank you Philipp
Hi Philipp, hi folks! Philipp Snizek wrote:
Hi all, . . . In case I remove the default gw setting from win2k client's tcp/ip settings the ftp connecting speed is ok.
How can I tell windoze 2k or ie5 to first take a look into ie5 proxy settings and if successless try to connect via routing? Anybody got an idea?
Maybe your box is "more confused" as W&%-Boxes are normally (LoL) :) It seems to me that there is an conflict between 'name-resolving/usual traffic/ ...' and your download/ftp-connection. Perhaps the following helps (as a workaround): (I assume that proxy & gateway are on one machine <g>) Give the networkcard an additional IP-address (i.e. 10.0.0.192) Make either proxy or gateway connected to the new address :( change the adress on all your W&%-Boxes # As this is IMHO not (really) security-related, # feel free to contact me directly HTH CU -- best greetings from Solingen /GERMANY Dieter Hürten
I have 1 windoze client accessing a squid proxy allwing pasv ftp connections. The client 10.0.0.180 is configured like this: default gw 10.0.0.191 proxy settings in ie5: 10.0.0.191 port 3128 for all protocols.
All this worked for me in a corporate network, with Win95, NT & Win98 clients.
the ftp conneting speed is painful slow. The windoze 2k box first tries to have ftp routed over 10.0.0.191, then it realizes (due to the rejected packtes which produces icmp dest unreachables) it has to use the proxy's port 3128.
Look this is a browser bug, if you have set a proxy and it's ftp is not using the proxy. If you're using another ftp client, then AFAIK you cannot expect it to use IE's proxy settings. The name resolution should only occur once for the ftp server, but the idea that it's trying WINS and then falling back to DNS is a good one, just ignore M$ and use DNS.
Then it connects after ages of waiting to the ftp server in pasv mode. Trying to change directory on a ftp server takes up to several minutes of waiting.
You have time outs on every connection, sometimes this is because the ftp server is making an IDENT check? Perhaps you need to deny rather than reject/drop packets (forgive me if it's reject & deny/drop and I've mixed that up). In this case I think it's because the client ftp-data connections suffer same problem as the control connection.
In case I remove the default gw setting from win2k client's tcp/ip settings the ftp connecting speed is ok.
How can I tell windoze 2k or ie5 to first take a look into ie5 proxy settings and if successless try to connect via routing? Anybody got an idea?
Sounds a bad idea to me, I wonder if you have automatic settings overiding your proxy entries? The thing works without default route, because it gets 'network unreachable' instantly rather than trying to put the packets out itself. Just simplify, use a proxy, and always use it, rather than a complicated fall back strategy that is probably confusing the software. If this doesn't work, upgrade the software ie. 'doze 2K or IE5 (ideally with SuSE 7.2 and konqueror/opera/mozilla). Rob
I have 1 windoze client accessing a squid proxy allwing pasv ftp connections. The client 10.0.0.180 is configured like this: default gw 10.0.0.191 proxy settings in ie5: 10.0.0.191 port 3128 for all protocols. the ftp conneting speed is painful slow. The windoze 2k box first tries to have ftp routed over 10.0.0.191, then it realizes (due to the rejected packtes which produces icmp dest unreachables) it has to use the proxy's port 3128.
Look this is a browser bug, if you have set a proxy and it's ftp is not using the proxy. If you're using another ftp client, then AFAIK you cannot expect it to use IE's proxy settings.
Yes, this is what I have expected. I am not in need of any other ftp connection than via browser.
The name resolution should only occur once for the ftp server, but the idea that it's trying WINS and then falling back to DNS is a good one, just ignore M$ and use DNS.
Then it connects after ages of waiting to the ftp server in pasv mode. Trying to change directory on a ftp server takes up to several minutes of waiting.
You have time outs on every connection, sometimes this is because the ftp server is making an IDENT check? Perhaps you need to deny rather than reject/drop packets
REJECTs only from LAN side. DENY from WAN side.
In this case I think it's because the client ftp-data connections suffer same problem as the control connection.
It looks like this to me. After a while ftp-ctrl connection is done it again takes a moment until ftp-data connection is done.
In case I remove the default gw setting from win2k client's tcp/ip settings the ftp connecting speed is ok.
How can I tell windoze 2k or ie5 to first take a look into ie5 proxy settings and if successless try to connect via routing? Anybody got an idea?
Sounds a bad idea to me, I wonder if you have automatic settings overiding your proxy entries?
No, I only have 'use proxy server settings only'.
The thing works without default route, because it gets 'network unreachable' instantly rather than trying to put the packets out itself.
Just simplify, use a proxy, and always use it,
I would love to. I need the default gw setting for pop3s and smtp.
rather than a complicated fall back strategy that is probably confusing the software. If this doesn't work, upgrade the software ie. 'doze 2K or IE5
Well, I already use win2k and ie5. Maybe ie 5.5? Thanx Philipp
On Tue, Jun 05, 2001 at 11:35 +0100, Robert Davies wrote:
the ftp conneting speed is painful slow. The windoze 2k box first tries to have ftp routed over 10.0.0.191, then it realizes (due to the rejected packtes which produces icmp dest unreachables) it has to use the proxy's port 3128.
Look this is a browser bug, if you have set a proxy and it's ftp is not using the proxy.
MSIE seems to have the usual bug found in this environment: everyone wants to reinvent functionality which is already there -- and failes to do it right the first five times. :( Although there's common code in Windows to request and retrieve files, IE apparently tries itself -- while passing by any configured proxies. Search for an option named something like "folder view for FTP servers" (don't know the exact wording, since I usually keep away from this crappy software as far as I can).
The name resolution should only occur once for the ftp server, but the idea that it's trying WINS and then falling back to DNS is a good one, just ignore M$ and use DNS.
Excuse me, but how is prefering WINS over DNS of advantage in an IP environment? I always know the other end is an NT based webserver when it stupidly asks the client(!) - of cause on port 137 - "who are you?" instead of asking the authoritative DNS server "who is that one over there?". I don't see the point in believing what an arbitrary workstation wants me to believe and always prefer to ask those who should know. MS somehow implements a little of a common mechanism, but always gets something wrong in their design ...
Then it connects after ages of waiting to the ftp server in pasv mode. Trying to change directory on a ftp server takes up to several minutes of waiting.
You have time outs on every connection, sometimes this is because the ftp server is making an IDENT check? Perhaps you need to deny rather than reject/drop packets (forgive me if it's reject & deny/drop and I've mixed that up).
Yes, it's vice versa. To "deny" is to simply drop the packet, to "reject" is to wink back by waving "no, not here, please". virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi, Once SuSE Harden is used is it possible to roll back ? Regards Matt
Hi Armin, Cheers for that will do. Regards Matt -----Original Message----- From: Armin Schöch [mailto:armin.schoech@mail1.uni-rostock.de] Sent: 07 June 2001 00:44 To: Matt Cc: suse-security@suse.com Subject: Re: [suse-security] suse_harden Hello Matt !
Once SuSE Harden is used is it possible to roll back ?
Look for /etc/undo_harden_suse It does exactly what you are asking for and is reverting all changes made by harden_suse. HTH, Armin ------------------------------------------------------------------------ Armin Schöch at the office: Institut für Atmosphärenphysik Ziolkowskistr. 10 / 63 Schlossstraße 6 D-18059 Rostock D-18225 Kühlungsborn Tel. +49-(0)381-4005781 Tel. +49-(0)38293-68-102
configured proxies. Search for an option named something like "folder view for FTP servers"
Disable "enable folder view for ftp" in Tools -> Internet Options -> advanced (don't know the exact wording; I have a Grman version) Thank you, Gerhard. This solved my problem. (Although I really don't understand where's the link to my problem). Philipp
Hello Matt !
Once SuSE Harden is used is it possible to roll back ?
Look for /etc/undo_harden_suse It does exactly what you are asking for and is reverting all changes made by harden_suse. HTH, Armin ------------------------------------------------------------------------ Armin Schöch at the office: Institut für Atmosphärenphysik Ziolkowskistr. 10 / 63 Schlossstraße 6 D-18059 Rostock D-18225 Kühlungsborn Tel. +49-(0)381-4005781 Tel. +49-(0)38293-68-102
Hi Matt, Am Mittwoch, 6. Juni 2001 01:39 schrieb Matt:
Hi,
Once SuSE Harden is used is it possible to roll back ?
It should. The harden-suse_script should create an 'undo_harden_suse'-perl-script in /etc. There you should also find the 'harden_suse.log'.
Regards
Matt
Bernd
participants (7)
-
Armin Schöch
-
BerndSchwab@t-online.de
-
Dieter Huerten
-
Gerhard Sittig
-
Matt
-
Philipp Snizek
-
Robert Davies