since it is trying ident query, why don't reject it in your OUTPUT
chain on the server, so you will not need to wait for time-out.
side note, I'd move to proftpd (proftd.net) which has a central
configuration file. you can turn off ident/reverse DNS lookup easily
therein. More importantly, proftpd is considered to be more secure by
many. even redhat doesn't use wu-ftpd. That said, proftpd did originate
from wu-ftpd...
On Wed, 27 Mar 2002, Andres Adrover Kvamsdal wrote:
#We just set up netfilter on a RedHat Linux 7.2 firewall with kernel kernel
#and iptables 1.2.4-2.
#
#We have noticed that ftp traffic is considerably slower now than with our
#trusty never patched RedHat Linux 6.1 box running ipchains.
#
#A tcpdump session showing the traffic between a internal LAN IP and the DMZ
#server running wu-ftpd-2.6.1-20 is reproduced below:
#root@ftpserver ~ # tcpdump -v -v -v "src or dst 192.168.0.67"
#tcpdump: listening on eth0
#20:20:21.222926 192.168.0.67.2295 > 66.66.66.66.ftp: S [tcp sum ok]
#4074769634:4074769634(0) win 16384 <mss 1460> (DF) (ttl 63, id 12600, len
#44)
#20:20:21.223382 66.66.66.66.ftp > 192.168.0.67.2295: S [tcp sum ok]
#379546187:379546187(0) ack 4074769635 win 5840 <mss 1460> (DF) (ttl 64, id
#0, len 44)
#20:20:21.223948 66.66.66.66.ftp > 192.168.0.67.2295: S [tcp sum ok]
#379546187:379546187(0) ack 4074769635 win 5840 <mss 1460> (DF) (ttl 64, id
#0, len 44)
#20:20:21.223953 192.168.0.67.2295 > 66.66.66.66.ftp: . [tcp sum ok] 1:1(0)
#ack 1 win 17520 (DF) (ttl 63, id 12601, len 40)
#20:20:21.232701 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok]
#378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2359787
#0,nop,wscale 0> (DF) (ttl 64, id 45419, len 60)
#20:20:21.233260 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok]
#378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2359787
#0,nop,wscale 0> (DF) (ttl 64, id 45419, len 60)
#20:20:24.229434 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok]
#378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2360087
#0,nop,wscale 0> (DF) (ttl 64, id 45420, len 60)
#20:20:24.229980 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok]
#378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2360087
#0,nop,wscale 0> (DF) (ttl 64, id 45420, len 60)
#20:20:34.531975 66.66.66.66.ftp > 192.168.0.67.2295: P 1:65(64) ack 1 win
#5840 (DF) (ttl 64, id 27558, len 104)
#
#
#We managed to speed the connection to around 20 seconds by adding to our
#FORWARD chain in netfilter the following rules:
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp
#echo "1" > /proc/sys/net/ipv4/ip_forward
#$IPTABLES -A FORWARD -p tcp -i $DMZ_IFACE --dport 113 -j REJECT
#$IPTABLES -A FORWARD -p udp -i $DMZ_IFACE --dport 113 -j REJECT
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
# --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state \
# --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
#
#$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE \
# -d $OTILIO --dport 20 -j allowed
#$IPTABLES -A FORWARD -p udp -i $INET_IFACE -o $DMZ_IFACE \
# -d $OTILIO --dport 20 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE \
# -d $OTILIO --dport 21 -j allowed
#$IPTABLES -A FORWARD -p udp -i $INET_IFACE -o $DMZ_IFACE \
# -d $OTILIO --dport 21 -j ACCEPT
#
#after looking in /etc/services and discovering that the auth protocol is
#udp port 113 and tcp port 113 . Only the rules that are relevant have been
#reproduced
#
#Rejecting the packets instead of the default drop helped.
#
#We have set in our /etc/ftpaccess the following line
#timeout RFC931 0
#which is supposed to explicitly deny the use of the auth protocol by the
#ftp daemon.
#
#As can be seen from the tcpdump the ftp server stays 13 seconds waiting for
#replies to the auth requests it made and which never arrive.
#
#Andres Adrover
#
Jerry Z. Yu +1-404-262-8544 (O)
systems engineer [EMAIL PROTECTED]
is support, voicecom, llc www.voicecom.com
