Re: IPchains and FTP performance

From: WindersBoy (skelley@nospam.com)
Date: 12/12/01


From: skelley@nospam.com (WindersBoy)
Date: Wed, 12 Dec 2001 22:02:28 GMT

On Wed, 12 Dec 2001 20:36:44 GMT, Andrew Cudzilo
<linuxps@rochester.rr.com> wrote:

>WindersBoy wrote:
>
>> Hello all.
>> I've seen many posts regarding this on the Internet, but so far have
>> found no answers. I hope someone here can help.
>>
>> I have a linux firewall box running the 2.2.12-20 kernel (redhat). It
>> runs ipchains. Everything seems to be going well with one exception.
>>
>> When someone runs FTP through the firewall, it is very slow, and the
>> server itself becomes almost unresponsive to logins during the data
>> transfer operation. The firewall does masquerading.
>>
>> Thoughts?
>> Sean
>>
>
>Thoughts that come to mind:
>
>
>1)kernel module to allow private IPs to ftp from behind a firewall
>loaded? ip_masq_ftp.o
>2) Passive versus active file transfers - probably want to turn passive
>off and try to download
>3)FTP server (you are connecting to) trying to do reverse DNS lookups on
>your firewalls public IP address or itself. (This one is usually
>detectable if there is an extreme delay in connecting to the server 1-2
>mins, but once a connection is established data transfers seem to flow
>at normal pace)
>
><end thoughts> Hope it was of some service:)
>
>
>
>--
>Andrew Cudzilo <linuxps@rochesterr.rr.com>
>Proffesional Bum
>Clever saying: "killall -9`em and let root@localhost sort`em out"
>
I only allow passive FTP (forgot to mention that), so the module isn't
needed, I believe.
I am FTP'ing to the DMZ so name look-ups aren't a real problem.