Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] NETWORK SLOWDOWN
On Wednesday 16 January 2002 09:59, Omppu wrote:

> i have the following setup
>
> Internet
>
> | S0
>
> --------------
>
> | internet |
> | cisco router |
>
> --------------
>
> | F0 195.165.91.1 mask 255.255.255.240
>
> ---------- ----------
>
> | HUB |----------------| server | 195.165.91.3 mask
>
> 255.255.255.240
> ---------- ----------
>
> | 195.165.91.2 netmask 255.255.255.240 GW
>
> 195.165.91.1
> --------------
>
> | SuSE 7.3 |
> |
> | |----------------| 195.165.91.129 netmask
>
> 255.255.255.192
> --------------
>
> | 195.165.91.193 netmask 255.255.255.192
>
> route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 195.165.91.0 * 255.255.255.240 U 0 0 0
> eth0
> 195.165.91.0 * 255.255.255.240 U 0 0 0
> eth0
> 195.165.91.192 * 255.255.255.192 U 0 0 0
> eth2
> 195.165.91.128 * 255.255.255.192 U 0 0 0
> eth1
> default 195.165.91.1 0.0.0.0 UG 0 0 0
> eth0
>
> SuSE 7.3 running on a pentium3 550Mhz with 128mb ram and intel ethernet
> pro100+ network cards
>
> for some reason im getting some lags on connections going through the linux
> box,
> and the laggs become longer and worse when i startup the firewall.
>
> any ideas what is causing this and how it can be resolved???

What worries me about your set up, is your use of variable netmasks on very
similar network numbers. In the past, I've found 'PC support' fairly
incapable of setting correct DNS servers never mind static IPs and tricky
netmasks, so I'd suspect some misconfiguration on client side. I understand
you wanted to divide up the network efficiently without renumbering using
private network numbers. I just like simpler schemes, as they're hard enough
to set up and keep functioning correctly.

When you connect you may well have both ident and DNS ptr and A lookups going
on to authorise and log info about the connection. Now if you drop the ICMP
reject, to the ident connection which is sent because you either don't
permit, or simply don't run an ident server, you will see delays. I'd also
check you don't have DNS servers configured to forward requests to each
other, as well as trying to resolve them (and perhaps fail) on the Net.

Can you use some logging of what's going back and forth in your rules? The
rate limitting feature should help, and see if ident's and DNS packets are
being sent as expected? If simple analysis doesn't solve it, you might well
need heavier duty tools like tcpdump.

Rob

< Previous Next >
References