slow ftp

slow ftp

[Askar]

hi list

we are running ftp "proftpd" server it takes times when a user
connects to ftp server however when I flush the iptables rules
connection doesn't takes time, iptables firewall on the same machine,
default policies are DROP,
firewall script is very straight forward

rules
.
.
# Using Connection State to By-pass Rule Checking
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
.
.
.iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW -j ACCEPT
.
.

# Load the FTP connection state helper module.
modprobe ip_conntrack_ftp
# Load the FTP NAT module.
modprobe ip_nat_ftp

any idea?

regards

-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: slow ftp

[Askar]

Hello Maxime,

Thanks  for your quick reply, I added the above rules for all our
company DNS servers but no luck still it takes times on
Connecting.......

flushing firewall rules makes a difference that is "quick" connection :)

regards



On Thu, 17 Feb 2005 11:57:49 -0500, Maxime Ducharme
<mducharme@cybergeneration.com> wrote:
> Hello Askar
> 
> Usually it is because of reverse DNS done
> when a client connects.
> 
> If your firewall doesnt have access to any DNS
> and tries to resolve the client hostname, each time
> a client connects, it will have to wait until the server
> times out on DNS requests.
> 
> Configure DNS and add
> iptables -A OUTPUT -p udp --dport 53 -d $DNS_SERVER -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 53 -d $DNS_SERVER -j ACCEPT
> 
> Replace $DNS_SERVER with your DNS server's IP.
> If you have more, add as much rules as needed.
> 
> You may also take a look into proftpd config, maybe
> you can simply deactivate reverse DNS lookup on connect.
> 
> Hope this helps
> 
> Have a nice day
> 
> Maxime Ducharme
> Programmeur / Spécialiste en sécurité réseau
> 
> ----- Original Message -----
> From: "Askar" <askarali@gmail.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, February 17, 2005 11:48 AM
> Subject: slow ftp
> 
> > hi list
> >
> > we are running ftp "proftpd" server it takes times when a user
> > connects to ftp server however when I flush the iptables rules
> > connection doesn't takes time, iptables firewall on the same machine,
> > default policies are DROP,
> > firewall script is very straight forward
> >
> > rules
> > .
> > .
> > # Using Connection State to By-pass Rule Checking
> > iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > .
> > .
> > .iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW -j ACCEPT
> > .
> > .
> >
> > # Load the FTP connection state helper module.
> > modprobe ip_conntrack_ftp
> > # Load the FTP NAT module.
> > modprobe ip_nat_ftp
> >
> > any idea?
> >
> > regards
> >
> > --
> > I love deadlines. I like the whooshing sound they make as they fly by.
> > Douglas Adams
> >
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: slow ftp

[Jason Opperisano]

On Thu, 2005-02-17 at 11:48, Askar wrote:
> hi list
> 
> we are running ftp "proftpd" server it takes times when a user
> connects to ftp server however when I flush the iptables rules
> connection doesn't takes time, iptables firewall on the same machine,
> default policies are DROP,
> firewall script is very straight forward
> 
> rules
> .
> .
> # Using Connection State to By-pass Rule Checking
> iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> .
> .
> .iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW -j ACCEPT
> .
> .
> 
> # Load the FTP connection state helper module.
> modprobe ip_conntrack_ftp
> # Load the FTP NAT module.
> modprobe ip_nat_ftp
> 
> any idea?

you have your FTP server configured to perform IDENT lookups on the
clients, perhaps?

  iptables -A OUTPUT -p tcp --syn --dport 113 -j ACCEPT

-j

--
"You heard me, I won't be in for the rest of the week... I told you,
 my baby beat me up... oh it is not the worst excuse I ever thought up."
	--The Simpsons

Re: slow ftp

[R. DuFresne]

What kind of latencies are you observing?  any time one puts a firewall
into the miix, or encryption there is agont to be an increase in latency.
Add state tracking and increase the latency level, add large rules sets,
and increase the latency level, ftp via ssh'ed connections, add latency,
hope from one system to another hitting firewall boundries and adding
ssh'ed connections up the latency level.  Try and connect to a server that
is running with a sysload on the high end, add latency as the remote
server needs to deal with interupts.

The question though is, are the latencies you are observing out of norm?
<see question 1 above>

Thanks,

Ron DuFresne

On Thu, 17 Feb 2005, Askar wrote:

> hi list
> 
> we are running ftp "proftpd" server it takes times when a user
> connects to ftp server however when I flush the iptables rules
> connection doesn't takes time, iptables firewall on the same machine,
> default policies are DROP,
> firewall script is very straight forward
> 
> rules
> .
> .
> # Using Connection State to By-pass Rule Checking
> iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> .
> .
> .iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW -j ACCEPT
> .
> .
> 
> # Load the FTP connection state helper module.
> modprobe ip_conntrack_ftp
> # Load the FTP NAT module.
> modprobe ip_nat_ftp
> 
> any idea?
> 
> regards
> 
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: slow ftp

[Askar]

hello Dufresne,

Problem solved after I added ...
     UseReverseDNS                   off
     IdentLookups                    off

to proftpd.conf as Michael Gale suggested

Thanks and regards

Askar 
On Thu, 17 Feb 2005 12:51:56 -0500 (EST), R. DuFresne
<dufresne@sysinfo.com> wrote:
> 
> What kind of latencies are you observing?  any time one puts a firewall
> into the miix, or encryption there is agont to be an increase in latency.
> Add state tracking and increase the latency level, add large rules sets,
> and increase the latency level, ftp via ssh'ed connections, add latency,
> hope from one system to another hitting firewall boundries and adding
> ssh'ed connections up the latency level.  Try and connect to a server that
> is running with a sysload on the high end, add latency as the remote
> server needs to deal with interupts.
> 
> The question though is, are the latencies you are observing out of norm?
> <see question 1 above>
> 
> Thanks,
> 
> Ron DuFresne
> 
> On Thu, 17 Feb 2005, Askar wrote:
> 
> > hi list
> >
> > we are running ftp "proftpd" server it takes times when a user
> > connects to ftp server however when I flush the iptables rules
> > connection doesn't takes time, iptables firewall on the same machine,
> > default policies are DROP,
> > firewall script is very straight forward
> >
> > rules
> > .
> > .
> > # Using Connection State to By-pass Rule Checking
> > iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > .
> > .
> > .iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW -j ACCEPT
> > .
> > .
> >
> > # Load the FTP connection state helper module.
> > modprobe ip_conntrack_ftp
> > # Load the FTP NAT module.
> > modprobe ip_nat_ftp
> >
> > any idea?
> >
> > regards
> >
> >
> 
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> 
> ...Love is the ultimate outlaw.  It just won't adhere to rules.
> The most any of us can do is sign on as it's accomplice.  Instead
> of vowing to honor and obey, maybe we should swear to aid and abet.
> That would mean that security is out of the question.  The words
> "make" and "stay" become inappropriate.  My love for you has no
> strings attached.  I love you for free...
>                         -Tom Robins <Still Life With Woodpecker>
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams