ftp long time connection

ftp long time connection

[Lonnie Cumberland]

Hello All,

I have my systems behind a firewall and am using ftp for a specific
project.

The problem is that when I try to connect to my SELinux server from
another Linux client that it takes about 2 - 3 minutes. I have even
tried to give the IP instead of the host name and it still take this
long time as well.

Any ideas on how to fix this would be greatly appreciated,
Cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: Lonnie@OutStep.com
      : Lonnie_Cumberland@yahoo.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[Justin Smith]

On Tue, 2002-02-19 at 12:06, Lonnie Cumberland wrote:
> The problem is that when I try to connect to my SELinux server from
> another Linux client that it takes about 2 - 3 minutes. I have even
> tried to give the IP instead of the host name and it still take this
> long time as well.
> 
>

Strange! I'd be inclined to think it has nothing to do with SELinux. I'm
running a web server with Servlets and JSP (the URL is 
http://vorpal.mcs.drexel.edu
) and haven't noticed any increase in access time. My web server is very
active, too (my students take exams via fill-out forms).

-- 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[George Fouse]

Hello,
I really question if this is an SELinux problem, per se.
If you wait and then finally connect, then I wonder if: 1. inetd (or
xinetd if you're using that) is configured to request the client host
identd info  (or are you using the ftp server as a daemon?), 2.doesn't
see it, and then  3.waits for the timeout interval you have set prior to
completing? Just a thought.
Lonnie Cumberland wrote:
> 
> Hello All,
> 
> I have my systems behind a firewall and am using ftp for a specific
> project.
> 
> The problem is that when I try to connect to my SELinux server from
> another Linux client that it takes about 2 - 3 minutes. I have even
> tried to give the IP instead of the host name and it still take this
> long time as well.
> 
> Any ideas on how to fix this would be greatly appreciated,
> Cheers,
> Lonnie
> 
> --
>  Lonnie Cumberland
>  OutStep Technologies Incorporated
>  (313) 832-7366
> 
>  URL: http://www.outstep.com
>  EMAIL: Lonnie@OutStep.com
>       : Lonnie_Cumberland@yahoo.com
>
--
------------------------------
George Fouse, 
President
Quantum Technology Associates
System and Network Services
------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[Hacko]

it has nothing to do with selinux, i suppose, if you try ssh/telnet, etc -
it will be the same?

try to add the following in your /etc/hosts

#>>>
# this is in selinux /etc/hosts
# ip of example linux client is 10.20.20.40

10.20.20.40	linux-client-name
10.20.20.41	linux2-client-name

# etc
#>>>>

i hope then all will be faster ;)

regards,

Hacko



On Tue, 19 Feb 2002, Lonnie Cumberland wrote:

> Hello All,
>
> I have my systems behind a firewall and am using ftp for a specific
> project.
>
> The problem is that when I try to connect to my SELinux server from
> another Linux client that it takes about 2 - 3 minutes. I have even
> tried to give the IP instead of the host name and it still take this
> long time as well.
>
> Any ideas on how to fix this would be greatly appreciated,
> Cheers,
> Lonnie
>
> --
>  Lonnie Cumberland
>  OutStep Technologies Incorporated
>  (313) 832-7366
>
>  URL: http://www.outstep.com
>  EMAIL: Lonnie@OutStep.com
>       : Lonnie_Cumberland@yahoo.com
>
>
>
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[Noah silva]

Are you sure that SELinux is the problem?  Usually this problem is caused
by the server doing a reverse DNS lookup on the connecting host for
logging purposes, and the DNS times out.

 -- noah silva 

On Tue, 19 Feb 2002, Lonnie Cumberland wrote:

> Hello All,
> 
> I have my systems behind a firewall and am using ftp for a specific
> project.
> 
> The problem is that when I try to connect to my SELinux server from
> another Linux client that it takes about 2 - 3 minutes. I have even
> tried to give the IP instead of the host name and it still take this
> long time as well.
> 
> Any ideas on how to fix this would be greatly appreciated,
> Cheers,
> Lonnie
> 
> -- 
>  Lonnie Cumberland
>  OutStep Technologies Incorporated
>  (313) 832-7366
> 
>  URL: http://www.outstep.com
>  EMAIL: Lonnie@OutStep.com
>       : Lonnie_Cumberland@yahoo.com
> 
> 
> 
> 
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: ftp long time connection

[Flood Randy Capt AFCA/TCAA]

Do you have reverse DNS entries for your server and client and is DNS configured correctly?

If DNS is not set up properly you can get results like that.


-----Original Message-----
From: Justin Smith [mailto:jsmith@mcs.drexel.edu]
Sent: Tuesday, February 19, 2002 11:52 AM
To: SELinux@tycho.nsa.gov
Subject: Re: ftp long time connection


On Tue, 2002-02-19 at 12:06, Lonnie Cumberland wrote:
> The problem is that when I try to connect to my SELinux server from
> another Linux client that it takes about 2 - 3 minutes. I have even
> tried to give the IP instead of the host name and it still take this
> long time as well.
> 
>

Strange! I'd be inclined to think it has nothing to do with SELinux. I'm
running a web server with Servlets and JSP (the URL is 
http://vorpal.mcs.drexel.edu
) and haven't noticed any increase in access time. My web server is very
active, too (my students take exams via fill-out forms).

-- 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[Ben McGinnes]

[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]

Flood Randy Capt AFCA/TCAA(randy.flood@scott.af.mil)@Tue, Feb 19, 2002 at 01:55:17PM -0600:
> 
> Do you have reverse DNS entries for your server and client and is DNS
> configured correctly?
> 
> If DNS is not set up properly you can get results like that.

True, DNS errors will do that, as others here have pointed out.  The
original query, however, also mentioned that accessing the host directly
by its IP was attempted with the same results.  So while there may be some 
DNS-related delays as well, it cannot be a complete explanation.  I also 
doubt SE Linux is the cause here either since it's a fairly generic kind 
of problem.

I'd try attempting other protocols such as SSH, telnet (if enabled), SMTP 
and probably SCP too.  To both hostname and IP address.  See if it is 
affecting all protocols or just one or two, also try telnetting to the 
machine on port 21 and see exactly what point at which it slows to a crawl 
or breaks.

Chances are the cause (and shortly thereafter, the solution) will leap out 
during this process.


Regards,
Ben

[-- Attachment #2: Type: application/pgp-signature, Size: 174 bytes --]

RE: ftp long time connection

[Flood Randy Capt AFCA/TCAA]

Actually, even if you ftp or telnet to a machine using its ip address,
often times the client will nslookup the ip address.  Likewise, the
server will often do a reverse lookup on the client (for logging
purposes).  I have also seen this sort of behavior if you use host names
rather than ip addresses in /etc/hosts.allow and /etc/hosts.deny.  Try
fixing DNS and then see if you still have the problem.

   

-----Original Message-----
From: Ben McGinnes [mailto:ben-mcginnes@iname.com]
Sent: Wednesday, February 20, 2002 8:39 AM
To: selinux@tycho.nsa.gov
Cc: Flood Randy Capt AFCA/TCAA; Lonnie Cumberland
Subject: Re: ftp long time connection


Flood Randy Capt AFCA/TCAA(randy.flood@scott.af.mil)@Tue, Feb 19, 2002
at 01:55:17PM -0600:
> 
> Do you have reverse DNS entries for your server and client and is DNS
> configured correctly?
> 
> If DNS is not set up properly you can get results like that.

True, DNS errors will do that, as others here have pointed out.  The
original query, however, also mentioned that accessing the host directly
by its IP was attempted with the same results.  So while there may be
some 
DNS-related delays as well, it cannot be a complete explanation.  I also

doubt SE Linux is the cause here either since it's a fairly generic kind

of problem.

I'd try attempting other protocols such as SSH, telnet (if enabled),
SMTP 
and probably SCP too.  To both hostname and IP address.  See if it is 
affecting all protocols or just one or two, also try telnetting to the 
machine on port 21 and see exactly what point at which it slows to a
crawl 
or breaks.

Chances are the cause (and shortly thereafter, the solution) will leap
out 
during this process.


Regards,
Ben

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[Ben McGinnes]

[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]

Flood Randy Capt AFCA/TCAA(randy.flood@scott.af.mil)@Wed, Feb 20, 2002 at 08:55:50AM -0600:
> 
> Actually, even if you ftp or telnet to a machine using its ip address,
> often times the client will nslookup the ip address.  Likewise, the
> server will often do a reverse lookup on the client (for logging
> purposes).  I have also seen this sort of behavior if you use host names
> rather than ip addresses in /etc/hosts.allow and /etc/hosts.deny.  Try
> fixing DNS and then see if you still have the problem.

Yeah, as the other branch of this thread has probably shown, I'd forgotten 
that while specifying the IP for the connecting host would speed up some 
parts, it does not help much if the server has DNS troubles while 
attempting to resolve reverse DNS on that host.  I had also forgotten that 
some older protocols still insist on doing this step.

Some newer protocols, of course, skip this by ignoring reverse DNS 
completely and simply respond to whatever IP address is in the appropriate 
TCP/IP header from the incoming packet.  Initially I had assumed FTP would 
do this, but a refresher of the protocol reminded me that its initial 
connection is basically the same as telnet, which means it is going to 
keep sticking to the good old fashioned reverse DNS double check.  


Regards,
Ben

[-- Attachment #2: Type: application/pgp-signature, Size: 174 bytes --]

RE: ftp long time connection

[Walker, Jason]

I think that the DNS configuration will affect ftp connections, even if the
client is trying to FTP to the IP address of the server.  

What they're talking about is the reverse DNS lookup, where the SERVER does
a reverse lookup on the address of the CLIENT to see who's trying to
connect, for logging and authentication purposes.  If the Server doesn't
know the name associated with the Client IP address, it will take some extra
time before the server gives up and simply logs the client IP address
instead of hostname.

Make sure that the client system is listed in DNS, that the server is using
the appropriate DNS server, or that the server has a HOSTS file listing the
client.  From the server, try doing an nslookup against the client IP
address and see if it correctly returns the client name.

Jason Walker
Lockheed Martin CSOC
(281) 218-2569


-----Original Message-----
From: Ben McGinnes [mailto:ben-mcginnes@iname.com]
Sent: Wednesday, February 20, 2002 8:39 AM
To: selinux@tycho.nsa.gov
Cc: Flood Randy Capt AFCA/TCAA; Lonnie Cumberland
Subject: Re: ftp long time connection


Flood Randy Capt AFCA/TCAA(randy.flood@scott.af.mil)@Tue, Feb 19, 2002 at
01:55:17PM -0600:
> 
> Do you have reverse DNS entries for your server and client and is DNS
> configured correctly?
> 
> If DNS is not set up properly you can get results like that.

True, DNS errors will do that, as others here have pointed out.  The
original query, however, also mentioned that accessing the host directly
by its IP was attempted with the same results.  So while there may be some 
DNS-related delays as well, it cannot be a complete explanation.  I also 
doubt SE Linux is the cause here either since it's a fairly generic kind 
of problem.

I'd try attempting other protocols such as SSH, telnet (if enabled), SMTP 
and probably SCP too.  To both hostname and IP address.  See if it is 
affecting all protocols or just one or two, also try telnetting to the 
machine on port 21 and see exactly what point at which it slows to a crawl 
or breaks.

Chances are the cause (and shortly thereafter, the solution) will leap out 
during this process.


Regards,
Ben

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ftp long time connection

[Lonnie Cumberland]

Hello All,

Sorry for not responding a little earlier, but although I have not
completely narrowed down the problem, I do not think that is has to
do with SElinux now.

It is probably some error on my part as I have been making many
chages to our servers lately.

Cheers and thanks for the help everyone.

I really appreciate it,
Lonnie

>
> If you've figured out the problem (or at least determined that it
> isn't related to SELinux), it might be good to say so on the
> mailing list so that people won't continue to post endlessly on
> this thread.
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: Lonnie@OutStep.com
      : Lonnie_Cumberland@yahoo.com

 The Basis Express Virtual Office
               &
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

"The Virtual Office with no boundries!!!"





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.