Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
Time Response
florent at arcimex
Jul 24, 2001, 8:23 AM
Post #1 of 2 (737 views)
Permalink
I m sorry if this mails is a clone because a had problems with the mail server.

So, here is my problem :
During my FW tests, I noticed that a new connection through the firewall was a bit long to be established, an example :

A box pings through the firewall and waits for response,
The FW don't even see the connection beginning during ~5 sec,
The FW sees the connections FORWARD Table packets increasing,
The ping-box receives many pongs a a short time and then receives the others normally.

If I try to ping again a short time after everything's OK.
I saw this behaviour for a couple of protocoles (POP3, SMTP ..).

I seems to me that the conection tracking module takes too much time to register the connection and when it has done his work enables the packet flow.
But maybe, I'm wrong.
The problem is that my FW does SNAT and I can't live without connection tracking

Is this behaviour normal??
Have I missed something in the configuration??
Have anyone faced the same problem???
What can I do to decrease this latency??

My Firewall runs on a RH 7.0 box with kernel 2.4.6 and iptables v1.1.1
with 3 NICS for inet, local and dmz.
Every packet FORWARDING stuff works greatfully except for the latency.


Every response will be appreciated

Florent
Re: Time Response [ In reply to ]
tearnshaw at landis
Jul 25, 2001, 12:09 AM
Post #2 of 2 (672 views)
Permalink
Florent wrote:

> A box pings through the firewall and waits for response,
> The FW don't even see the connection beginning during ~5 sec,
> The FW sees the connections FORWARD Table packets increasing,
> The ping-box receives many pongs a a short time and then receives the others normally.

> If I try to ping again a short time after everything's OK.
> I saw this behaviour for a couple of protocoles (POP3, SMTP ..).

Incorrectly configured DNS?

Tony

--
Tony Earnshaw

Field Engineer Unix Internet, Security, Messaging
Landis Enterprise Networks
mailto:tearnshaw@landis.nl
tel.: +31 30 248 9198
fax: +31 30 241 22 42

http://www.landis.com
http://online.landis.com


landis mission statement:
building satisfied business partners by offering
high quality ICT solutions, services and training
for the electronic highway.
--------------------------------------------------
Confidentiality statement: this email message may
contain confidential and privileged information
and is intended to be for the use of the individual
or entity named above. If you are not the intended
recipient, be aware that any disclosure, copying,
distribution, or use of the content of this message
is prohibited. If you have received this message in
error, please notify the sender by reply email and
delete the material from your computer.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal