Hey guys, It seems that IP chains is slowing my news and ftp speeds. ipfwadm's forwarding allowed for the usual speeds..just as if the machine behind the gateway were the actual gateway. Since ipchains came around, news is unreadable, because the speeds are 3 bytes a second. FTP'ing within my network has gone from 1200KB/s to about 8KB/s I got a template from freshmeat.net and saw what might have been the solution, but it hasnt worked: Note that i do have CONFIG_IP_ROUTE_TOS compiled into my kernel. # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 echo -n "." SuSE didnt have an ftp-data in /etc/services... i tried adding one at port 20 ..but it still didnt work. tried putting in nntp and netnews in place of ftp-data and i'm still getting slow butt speeds.. 35 headers in 5 mintues :( Other than that..im in love with ipchains :) Any suggestions? Thanks! Chrissy
* Chrissy LeMaire <chrissy@netnerds.net> writes:
It seems that IP chains is slowing my news and ftp speeds.
How is this a security problem?
# Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
Is this what's in your "/sbin/init.d/masquerade"? I am using SuSE 6.0 w/ ipchains. That's what I use: for i in ${MSQ_NETWORKS}; do ${IPFWADM} -A forward -j MASQ -p all -s $i -d 0/0 -i ${MSQ_DEV} done -- Mark Lutz Accept German and English
How is this a security problem?
This is a security related topic because of the fact that IPCHAINS is a firewall program and I'm trying to improve security on my machine. If there are rules against questions regarding firewalls, I did not get a copy of them, and I did check over my initial email from suse-security. If questions like these are a burden, perhaps we can ask the suse admin to set down rules in the initial email that is sent.
# Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
Is this what's in your "/sbin/init.d/masquerade"? I am using SuSE 6.0 w/ ipchains. That's what I use:
for i in ${MSQ_NETWORKS}; do ${IPFWADM} -A forward -j MASQ -p all -s $i -d 0/0 -i ${MSQ_DEV} done I have (where $INNERNET is of course, my internal network address range)
$IPCHAINS -A input -s $INNERNET -d $INNERNET -j ACCEPT $IPCHAINS -A forward -s $INNERNET -d $REMOTENET -j MASQ echo 1 > /proc/sys/net/ipv4/ip_forward I translated your rules with the ipfwadm2ipchains script found on freshmeat.net and it looks interesting. I will look into this more. If you dont mind me asking, what is the value of ${MSQ_DEV} and $i? Thanks for your help. Chrissy
participants (2)
-
Chrissy LeMaire -
Mark Lutz