Hi!
I encountered the following problem with the SuSEfirewall-skript:
First of all, my configuration: I've got a Linux Box (SuSE 6.4) running as a DSL-Router (incl. Masquerading) for an internal Network. The firewall-skript (which Version doesn't really matter, I've tried out several versions, including the newest form Marc's Website) is installed on that Linux-Box.
The Problem: HTTP & SSH are working well but when I try to connect to a Internet-Server via FTP, POP(sometimes) or SMTP it takes a long time (ca. 20sec) until data is transferred although the connection itself is established immediately. I do not think that it is a DNS problem, reverse&forward lookups are working well. Although I think that it has nothing to do with masquerading because if I work on the server console, the problem also occurs. If I shut down the firewall, everything is working fine!
I hope somebody can help me an that this is not a FAQ ;-)
bye
Christian Bohn
On Wed, Jan 31, 2001 at 03:03:57PM +0100, Christian Bohn wrote:
The Problem: HTTP & SSH are working well but when I try to connect to a Internet-Server via FTP, POP(sometimes) or SMTP it takes a long time (ca. 20sec) until data is transferred although the connection itself is established immediately. I do not think that it is a DNS problem, reverse&forward lookups are working well.
I'm pretty sure you are DENYing ident requests (TCP/113). Many servers try to get the initiating user for the connection, and DENYing those requests causes a time-out. You should REJECT them instead.
HTH Martin
The easy way is actually to ALLOW requests to that port but not run IDENT :-) That will give you a nice quick connection.
(Yes, I will add this to the FAQ as soon as I get a chance. If anyone wants to write that section up for me..... HINT HIINT)
-Nix
At 02:19 AM 1/02/2001, you wrote:
On Wed, Jan 31, 2001 at 03:03:57PM +0100, Christian Bohn wrote:
The Problem: HTTP & SSH are working well but when I try to connect to a Internet-Server via FTP, POP(sometimes) or SMTP it takes a long time (ca. 20sec) until data is transferred although the connection itself is established immediately. I do not think that it is a DNS problem, reverse&forward lookups are
working
well.
I'm pretty sure you are DENYing ident requests (TCP/113). Many servers try to get the initiating user for the connection, and DENYing those requests causes a time-out. You should REJECT them instead.
HTH Martin
-- Disclaimer
This email is subject to copyright and is intended only for the person(s) named. You may not disclose the contents of this email to other person(s) or take copies of it without the permission of the author.
PGP/GPG encrypted mail preferred, my public-key is availabe at http://empyreum.de/pgp-keys/MH.asc - ID: 1FEA0DF4 - the fingerprint is 3A8B 6A9A 3353 8CE7 9C95 31C8 0277 FA58 1FEA 0DF4
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
On Wed, Jan 31, 2001 at 15:03 +0100, Christian Bohn wrote:
The Problem: HTTP & SSH are working well but when I try to connect to a Internet-Server via FTP, POP(sometimes) or SMTP it takes a long time (ca. 20sec) until data is transferred although the
^^^^^^^^^^^
connection itself is established immediately.
That's a very good sign for DNS timeouts. Make sure reverse lookups works correctly.
I do not think that it is a DNS problem, reverse&forward lookups are working well.
Then I wouldn't know any other way but tracing the application (telnet to the destination port?) to determine *where* the time is spent. Or as an easier first try: have a network dump with timestamps (see tcpdump(1) for this).
If I shut down the firewall, everything is working fine!
Then make the blocking rules log and maybe you instantly see what's preventing fluid operation ...
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
On Wed, Jan 31, 2001 at 19:42 +0100, Gerhard Sittig wrote:
On Wed, Jan 31, 2001 at 15:03 +0100, Christian Bohn wrote:
The Problem: HTTP & SSH are working well but when I try to connect to a Internet-Server via FTP, POP(sometimes) or SMTP it takes a long time (ca. 20sec) until data is transferred although the
^^^^^^^^^^^connection itself is established immediately.
That's a very good sign for DNS timeouts. Make sure reverse lookups works correctly.
As a second thought: ident comes to mind -- it's usually used by SMTP servers and maybe poppers, too. Don't deny these queries but reject them! And yes, that's a FAQ.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-
Christian Bohn -
Gerhard Sittig -
Martin Hermanowski -
Nix