On Tuesday 30 April 2002 8:58 pm, Andrew Greenburg wrote: > Hi, > > I've been using an iptables-based firewall at the office for several > months, and all of a sudden today I started having problems with opening > network connections to UNIX hosts. The port opens, and then it sits there > for about 60 seconds before it actually responds. After that, the > connection works normally. My tcp/ip connections to NT-based servers work > fine. There have been absolutely no changes to the configuration of the > netfilter box. > > Any ideas?
Whenever I hear this sort of problem, I normally say "ident lookup". I guess in your case (since you've had a working netfilter box for some months with no recent changes), the question has to be - are the Unix boxes ones which you;ve previously connected to without these delays, and have there been any changes to those servers ? (Specifically, has anyone installed TCP-wrappers on them ?) To investigate the problem, it might be a good idea to put a logging rule on your firewall (in the INPUT chain if you;re masquerading the clients behind the firewall's own IP address; in the FORWARD chain if you're not) to see if you;re getting any packets destined for TCP port 113 - the ident daemon. If you don't want to change the firewall, put a packet sniffer on the outside (ethereal would do nicely) and see if you're getting ident requests back from the servers with the delays. Hope this helps, Antony.
