/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
On Thu, 21 Oct 1999, Steve Sobka wrote:
> Wouldn't a NooP command fromt the FTP client perform the same as increasing
> the timeout? Being that your increasing the timeout for all apps? The Noop
> would just affect the FTP app? yes? no?
You're correct; _any_ command sent over the command channel (port
21) will trigger the firewall to bring the timeout for _that_ _connection_
back to the maximum. Unfortunately, if I've understood the problem
correctly, the problem seems to be long downloads that carry lots of
packets over the data channel (so it's timeout may never fall more than 5
or 10 seconds below the maximum), but carries nothing over the command
channel after the data channel has been completely established. If you
picture a file that takes 20 minutes to download through a masq firewall
that has a 15 minute tcp timeout, the data channel stays up near 15, but
the command channel steadily works its way down to 0, at which point it's
dropped from the kernel tables. Once the download is finished, the ftp
client tries to talk on port 21 again to close out the connection, but the
masq box in the middle can't find that port in its tables.
To see this in action, download something really big through a
masq box - the RedHat 6.1 iso image, perhaps? While it's downloading, run
"netstat -a -M -c" or "watch ipfwadm -l -M" or "watch ipchains -L -M" on
the masq box.
Kelly French not only identified, but also provided a patch to
fix, the root of the problem: the ip_masq_ftp module should reset the
timer on _both_ the _data_ and _command_ channels when packets are seen on
the data channel to handle this exact problem. Extending the timeouts is
only a workaround.
Cheers,
- Bill
---------------------------------------------------------------------------
"Unix _is_ user friendly. It's just very selective about who its
friends are. And sometimes even best friends have fights."
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
