Sorry, the first message escaped med without a message body... Hi All -
Generally, the netfilter system serves me well (setup by SuSE Firewall2 under SuSE Linux 7.3), however, one annoying problem remains. I use netfilter with NAT to enable Internet access from an internal, Private addressed LAN (192.168.x.x). The kernel is 2.4.10, iptables v. 1.2.2. The problem is, that FTP access to foreign FTP servers frequently slows down tremendously, when FTP is initiated by a client on the internal network, or, for that matter, also when the client runs on the iptables-gateway box itself. It makes no difference if the client attempts normal or passive FTP. We have a 2Mb Internet connection, and the problems typically occurs on FTP sites, which are normally very fast - our local McAfee updates site or a nearby university offering Sunsite and Netscape mirrorring, for example. Using another default gateway, in this case our trusted old Novell 5.1 server, I have no problem downloading software with some 150-200 Kbytes/sec from the university site, but when the iptables-box is used, rate descends drastically to maybe 2-3 kbytes/sec after the first few blocks are transferred - and frequently freezes up all over, causing the ftp client to timeout. This only shows on FTP traffic, Web surfing from an internal client seems to be running at at normal rate. Also, FTP transfer from servers known to be not particulary fast (Novell, Microsoft, SuSE) run at a somewhat expectable speed. Another peculiar observation: When FTP is attemted to one of the mentioned sites from an internal client on a "slow" segment (connected to the main internal LAN via ISDN router running 64 or 128 kbit/sec) the rate is pretty much as could be expected, some 7 - 14 Kbytes/sec respectively. Some time ago I read something somewhere about some mechanisms built into netfilter in the line of protection against some kind of data flooding (huge amounts of data from one IP address bombarding the gateway). I do not know if this is true, but the idea that such a mechanism could be backfiring on me in this case is rather tempting - or do I miss something rather serious here ?? Anyway, if this could be the case, I have no idea whatsoever how to make an impact on such settings (params, iptables etc.). This really is killing me - and is in fact the last remaining hurdle obstructing our final migration to an all-Linux platform in this company. Any help is very much appreciated - tnx in advance. Joern W. Andersen, ICCC Copenhagen.
