On Tuesday, May 27, 2003, at 16:02 US/Pacific, Bryan Irvine wrote:
16:02:12.855960 12-213-225-238.client.attbi.com.42840 >
64-1-201-147.daf.concentric.net.ftp: . ack 1 win 17376
<nop,nop,timestamp 901947366 1577248712> (DF)
16:02:12.859376 64-1-201-147.daf.concentric.net.38315 >
knox2.horvitznewspapers.net.domain: 52301+ PTR?
238.225.213.12.in-addr.arpa. (45)
It seems to connect, and then the firewall tries to do an nslookup of
the ip (knox is DNS). Does anyone else read this differently than I?
Looks like that to me. That would explain the delay if that's being
blocked, since it will wait for the DNS query to timeout before
showing the prompt. Easiest thing to do would probably be allow UDP
53 from $FTPServer. An alternative would be changing /etc/resolv.conf
on the box to not use the external nameservers.
On Tue, 2003-05-27 at 15:24, Trevor Talbot wrote:
On Tuesday, May 27, 2003, at 14:39 US/Pacific, Bryan Irvine wrote:
[internet]---[OBSD]---[DMZ with ftp server] <-public range no on a
NAT
/ \
/ NAT2 (connects fine to ftp server in active mode)
NAT1 (also connects just fine in active mode)
The login screen pops right up immediatelly when i use the pass all
rules, but then I still have to switch to passive when I connect from
the outside. As soon as I switch back to my block in all I have to
wait
about a minute for the login screen to pop up, as well as switch to
passive after I've authenticated.
