At 09:12 PM 4/30/2002 +0100, you wrote: >On Tuesday 30 April 2002 8:58 pm, Andrew Greenburg wrote: > > > Hi, > > > > I've been using an iptables-based firewall at the office for several > > months, and all of a sudden today I started having problems with opening > > network connections to UNIX hosts. The port opens, and then it sits there > > for about 60 seconds before it actually responds. After that, the > > connection works normally. My tcp/ip connections to NT-based servers work > > fine. There have been absolutely no changes to the configuration of the > > netfilter box. > > > > Any ideas? > >Whenever I hear this sort of problem, I normally say "ident lookup". > >I guess in your case (since you've had a working netfilter box for some >months with no recent changes), the question has to be - are the Unix boxes >ones which you;ve previously connected to without these delays, and have >there been any changes to those servers ? (Specifically, has anyone >installed TCP-wrappers on them ?)
Yes, these are Unix boxes that I've always connected to in the past without delay, and there haven't been any changes to them. I have noticed that when I attempt to ftp into the one of them that I administer, I see this in the log: ftpd[1394]: getpeername (in.ftpd): Transport endpoint is not connected >To investigate the problem, it might be a good idea to put a logging rule on >your firewall (in the INPUT chain if you;re masquerading the clients behind >the firewall's own IP address; in the FORWARD chain if you're not) to see if >you;re getting any packets destined for TCP port 113 - the ident daemon. I've checked this, and I'm not seeing any packets destined for TCP port 113. I'm fairly positive that in the past I used to see these packets. >If you don't want to change the firewall, put a packet sniffer on the outside >(ethereal would do nicely) and see if you're getting ident requests back from >the servers with the delays. I think this is the next step. -- Andrew M. Greenburg | agreenbu @ in-span . net Systems Engineer | (317)234-1001 (317)234-1328 Indiana Web Academy | Phone Fax
