Your advice is well taken. I solved it last night. It was the eth2
NIC in the router. I replaced the NIC and everything worked. Thanks for the
help. This list is great!
Troy
-----Original Message-----
From: Ray Olszewski [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 10:39 AM
To: troy; [EMAIL PROTECTED]
Subject: Re: [leaf-user] RE:DMZ configuration problems
I waited to reply in the hope that someone would offer better advice than I
can.
Your first message mentioned two problems --- slow ftp transfers between
the DMZ server and LAN clients, and inability to do ftp transfers from the
Internet. This message mentions only the first problem; have you solved the
second on your own?
I doubt slowness is the result of your firewall ruleset -- rulesets tend to
be all or nothing with respect to passing packets -- but I should point out
that your report listed only the first part of the actual ruleset (the
input and forward chains, but not output or any of the custom chains), not
the complete ruleset.
I am a bit puzzled by your description of the problem. If both LAN and DMZ
are 100 Mbps 802.3 Ethernets, then I would expect transfers through a
firewall to be at about 50 Mbps, not the 1440 Kbps you expect (or the 45
Kbps you actually see).
With all of that said, here are some things to check:
1. Are you dropping a lot of packets at the interfaces? After one of these
slow transfers, look at the output of "ip -s link show" and see if the
packet counts suggest any problems.
2. Is the firewall processing the packets the way it should be? After one
of the slow transfers, look at the firewall ruleset and see if any
improbable rule is rejecting or denying a lot of packets. Since most of the
actual firewall ruleset is missing, and I am not expert enough in Shorewall
to deduce the ruleset from the config files, I can't tell how the LAN is
accessing the DMZ via the firewall (mainly, what the actual eth1_fwd chain
looks like, or the eth2_fwd chain that I presume also exists). So while I
cannot think of a ruleset problem that would create the symptoms you
describe, neither can I rule it out from what you've sent. Perhaps one of
our Shrewall experts can comment here?
3. Is there a problem with the ftp *server* on the Linux host in the dmz?
As I read your report, you've tested doing ftp downloads *from* the
Internet *to* the DMZ, but not the other way around. (I'm not sure that
this is what you mean, though, by "or my Linux server in the dmz zone", so
I apologize if I've misread this part.) If you haven't tested this ... try
"ftp localhost" from a shell login on the DMZ host, and se what the
transfer rate is.
4. You say "truthfully that [ftp] is the only file tranfer protocol that I
use between my Linux server in the dmz and my windows box in the loc zone
so I can't say if it effects anything else." Do you make shell connections
(with telnet or ssh) from the LAN to the DMZ host? If you do, the severity
of problem you are seeing, if it applies to all traffic, should be
observable with any process that displays a lot of output to the screen ...
even something as simple as an "ls -l" of a very large directory. You
really do need to determine somehow if this is an ftp-only problem or a
general connectivity problem.
5. Are there any problems at the hardware level? I'm fishing here ... but,
for example, might there be an IRQ or ioport conflict between the NICs that
provide interfaces eth1 and eth2? This could manifest itself in traffic
flakiness between LAN and DMZ, but not between either of them and the
Internet (since only one of them would be under load).
If some of these questions turn up interesting results, and you want more
help, please don't just answer the questions narrowly ... provide the
background that is relevant to the answer.
At 11:16 PM 10/8/02 -0600, troy wrote:
> As per the advice that I was given earlier today, I am hoping that this
>information will be more helpful in getting to the bottom of my problem.
>Please note that this configuration is slighly different than the one I
>posted
>earlier. The differance being that I have NOT opened all internet traffic
>to my
>DMZ. Instead I have chosen block all of the ports in my DMZ except the ones
I
>need for my server. Regardless of these changes, the problem still
persists.
>
>
>This is my first attempt at setting up a DMZ so I am
> > admitting now that I probably got it all wrong. That said, I am hoping
> > someone on the list can point out where I have made my mistakes and
point
>me in the right direction. Here is what I am attempting to accomplish.
>
>GOAL IS:
> > TO ALLOW "specific" traffic from the INTERNET INTO MY DMZ
> > TO ALLOW DMZ ACCESS TO THE INTERNET (BUT LOG IT)
> > TO ALLOW LOC ZONE OPEN ACCESS TO DMZ AND THE INTERNET
> > TO BLOCK ALL TRAFFIC FROM DMZ TO LOC ZONE and log it if it
> > tries to connect to loc zone.
> > TO ALLOW DNSCACHE TO WORK FOR BOTH ZONES.
>
>
>NETWORK LOOKS LIKE THIS:
>
>-----> Internet to eth0 on Bering box
>-----> eth0 Bering box using shorewall
>----> eth1 loc zone
>-----> eth2 dmz zone
>
>
>
>THE PROBLEM IS:
>
>POOR FILE TRANSFER RATE (ftp) BETWEEN LOC ZONE AND DMZ ZONE.
>
> I thought I had it all working until I attempted to do an
> ftp file transfer between my windoz systems on the loc zone to my Linux
>server in the dmz zone. My transfer rate was terrible. (45kb/s should be
>1400kb/s!) But, if I connect to a remote ftp server though my windoz box
>in the
>loc zone,or my Linux server in the dmz zone, the transfer rate is normal.
The
>problem only seems to effect ftp but truthfully that is the only file
tranfer
>protocol that I use between my Linux server in the dmz and my windows box
>in the
>loc zone so I can't say if it effects anything else.
>
> > Please keep in mind that this is my first
> > attempt at this and I have tried to follow the shorewall howto for
setting
> > up three interfaces but I am pretty sure I goofed.
> > PLEASE HELP! I have included all the info that I think is pertinent but
> if you
>require more please let me know and I will provide it. Thanks in advance.
> >
> > Troy
>
>
>#
># Shorewall 1.3 -- Policy File
>#
># /etc/shorewall/policy
>###########################################################################
####
>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
>loc net ACCEPT
>loc dmz ACCEPT
>dmz net ACCEPT info
>dmz loc DROP info
>#
># If you want open access to the internet from your firewall, uncomment the
># following line
>#fw net ACCEPT
>net all DROP info
>all all REJECT info
>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
>
>
>#
># Shorewall version 1.3 - Rules File
>#
># /etc/shorewall/rules
>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
># PORT PORT(S) DEST
># Accept DNS connections from the firewall to the network
>#
>ACCEPT fw net tcp 53
>ACCEPT fw net udp 53
>#
># Accept SSH connections from the local network for administration
>#
>ACCEPT loc fw tcp 22
>
># DENAT to my webserver from web
>DNAT net dmz:192.168.2.26:80 tcp 80
>
># DENAT to my sshserver from web
>DNAT net dmz:192.168.2.26 tcp 22
>
># DENAT to my ftpserver from web
>DNAT net dmz:192.168.2.2 tcp 21
>
># DENAT to my sshserver from web
>DNAT net dmz:192.168.2.26 tcp 22
>
>#DNAT to my SSL webmin server from web
>DNAT net dmz:192.168.2.26:25000 tcp https -
>DNAT net dmz:192.168.2.26:25000 tcp 25000
>
>
># Bering specific rules:
># allow loc to fw udp/53 for dnscache to work
># allow loc to fw tcp/80 for weblet to work
>#
>ACCEPT loc fw udp 53
>ACCEPT loc fw tcp 80
>ACCEPT loc fw udp 67
>ACCEPT loc fw udp 68
>
># Bering specific rules:
># allow dmz to fw udp/53 for dnscache to work
># allow dmz to fw tcp/80 for weblet to work
>#
>ACCEPT dmz fw udp 53
>ACCEPT dmz fw tcp 80
>ACCEPT dmz fw udp 67
>ACCEPT dmz fw udp 68
>
>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
>#
># Shorewall 1.3 - Masquerade file
>#
># /etc/shorewall/masq
>#
>###########################################################################
###
>#INTERFACE SUBNET ADDRESS
>eth0 eth1
>eth0 eth2
>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>
>#
># Shorewall 1.3 -- Interfaces File
>#
># /etc/shorewall/interfaces
>###########################################################################
###
>#ZONE INTERFACE BROADCAST OPTIONS
>net eth0 detect dhcp,routefilter,norfc1918,noping
>loc eth1 detect routestopped
>dmz eth2 detect routestopped
>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
># uname -a
>Linux firewall 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown
>
># ip addr show
>1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
>3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:04:5a:51:c2:3f brd ff:ff:ff:ff:ff:ff
> inet 192.139.75.34/27 brd 192.139.75.63 scope global eth0
>4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:04:5a:51:c1:91 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
>5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:50:fc:21:01:6c brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
>
># ip route show
>192.139.75.32/27 dev eth0 proto kernel scope link src 192.139.75.34
>192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
>192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
>default via 192.139.75.33 dev eth0
>
>
># lsmod
>Module Pages Used by
>ip_nat_h323 2628 0 (unused)
>ip_conntrack_h323 2280 1
>ip_nat_irc 2384 0 (unused)
>ip_nat_ftp 2960 0 (unused)
>ip_conntrack_irc 3056 1
>ip_conntrack_ftp 3824 1
>ppp_mppe 20168 0 (unused)
>ppp_async 5932 0 (unused)
>ppp_generic 14920 0 [ppp_mppe ppp_async]
>slhc 4264 0 [ppp_generic]
>8139too 13308 1
>mii 912 0 [8139too]
>tulip 36928 2
>
>
>Shorewall-1.3.1 Chain at firewall - Tue Oct 8 21:22:26 UTC 2002
>
>Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt
> in out source destination
>
> 0 0
> ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0
>
> 0 0
> eth0_in ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
>
> 0 0
> eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
>
> 0 0
> eth2_in ah -- eth2 * 0.0.0.0/0 0.0.0.0/0
>
> 0 0
> common ah -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0
> LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
> 0 0
> reject ah -- * * 0.0.0.0/0 0.0.0.0/0
>
>
>Chain FORWARD (policy DROP 1 packets, 48 bytes)
> pkts bytes target prot opt
> in out source destination
>
> 0 0
> eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
>
> 0 0
> eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
----------------------------------------------------------------------------
---
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
