Hello all! I have a server with SuSe 6.3 and some Windows clients. The clients have access to the internet over masquerading, the Linux server has an external ISDN adapter what's connected to the serial port. The ISP uses dynamic IP. If I use a simple script for masquerading everything works fine, but if I use a more secure en complex script and I initiate a connection from a Windows-client it takes a very long time (60 seconds...) till I get a responce. After this, everything works OK (sometimes ping gives a timeout). With the simple script I get a responce after 20 seconds, and if I initiatiate a connection from de Linux PC it's also about 20 seconds. At the moment I use the last SuSe firewall beta what I've got from Marc's homepage. Before I've tried the last RPM file from SuSe, and I've also tried another script from a friend. All have the same problem. I start the scripts from "/etc/ppp/ip-up", because of the dynamic IP-number. The problem is not the modem, it dials very quickly. But after this for about 40 seconds nothing is happening. It's also not a DNS problem. If I start the firewall script by hand, it takes about 7 seconds executing (so not 40). Please tell me if you know what this can be ;-) With regards, Paul van der Vlis Groningen, Holland.
On Wed, Sep 06, 2000 at 17:49 +0200, Paul van der Vlis wrote:
If I use a simple script for masquerading everything works fine, but if I use a more secure en complex script and I initiate a connection from a Windows-client it takes a very long time (60 seconds...) till I get a responce. After this, everything works OK (sometimes ping gives a timeout).
There's one big subject bubbling up: DNS timeouts. You could check for these by tcpdump(8)ing the connection. Make sure reverse lookup works just as well as "forward" lookup does. BTW this should be default behaviour instead of thinking about "do I have to offer reverse lookup?" ...
Please tell me if you know what this can be ;-)
If it's DNS, it's a FAQ and very commonly done wrong. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi, I think, I also had the same problem just today. I was using the SuSE 6.3 Firewalling/Masquerading script, but the firewall 1. did not quickly open connections for/from clients 2. listed the firewall rules very slowly (seemed to hang after "rcfirewall status") At first it seemed to me as if this was only a name service problem (this box also has a DNS server running). After I simply added more name servers in resolv.conf and restarted the firewall it worked fine for the first few minutes... At present I let the clients use the squid proxy, which works fine, and plan to return to a simpler script, which was in use before ;-) Dennis Stachowicz
Hi,
I think, I also had the same problem just today. I was using the SuSE 6.3 Firewalling/Masquerading script, but the firewall 1. did not quickly open connections for/from clients 2. listed the firewall rules very slowly (seemed to hang after "rcfirewall status")
At first it seemed to me as if this was only a name service problem (this box also has a DNS server running). After I simply added more name servers in resolv.conf and restarted the firewall it worked fine for the first few minutes...
At present I let the clients use the squid proxy, which works fine, and plan to return to a simpler script, which was in use before ;-)
Try to disable nscd and see if it changes.
killall nscd, edit /etc/rc.config, /START_NSCD
Thanks,
Roman.
--
- -
| Roman Drahtmüller
* Dennis Stachowicz wrote on Thu, Sep 07, 2000 at 00:04 +0200:
Hi,
I think, I also had the same problem just today. I was using the SuSE 6.3 Firewalling/Masquerading script, but the firewall 1. did not quickly open connections for/from clients
Are you sure the delays are caused by firewall rules?!
2. listed the firewall rules very slowly (seemed to hang after "rcfirewall status")
Did you used "-n", i.e. "ipchains -nL"?
At present I let the clients use the squid proxy, which works fine, and plan to return to a simpler script, which was in use before ;-)
Well, it may be more complicated to check auto-generated rules than build up manual generated rules ;) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi again, thanks for all the mails and suggestions I got and please excuse me replying so late. I have been very busy up to now :-( On Fri, 8 Sep 2000, Steffen Dettmer wrote:
Are you sure the delays are caused by firewall rules?! I do not think the problem is the kernel firewall code and I do not even know how the firewall rules could do that. Well, I already reinstalled our old masquerading-/firewalling-script - it works again... (which makes me guess it was not a DNS problem, we have no other DNS problems)
2. listed the firewall rules very slowly (seemed to hang after "rcfirewall status")
Did you used "-n", i.e. "ipchains -nL"? No, rcfirewall does not prevent ipchains from resolving names and I did not try -n then. Anyway, the real problem was not that the firewall status was not reported properly but that the kernel did not let programs connect or did not transfer packages.
Anyway, thanks for all suggestions! Dennis
participants (5)
-
Dennis Stachowicz -
Gerhard Sittig -
Paul van der Vlis -
Roman Drahtmueller -
Steffen Dettmer