IPFW and FTP client behind NAT
Hi, colleagues. I have the main server/router and Samba server behind this one. This Samba server at every night sends some data via FTP to another server on the Internet. The first remote server is under my power and use about the same configuration as main plus FTPD (port 2112) daemon. The second remote server is not in my power and we use is as backup storage and as I know OS is f...ing Linux. When I connect to the first server and transmit a very big file with transmission duration > 300 sec, the control channel (port pair 36313 <-> 2112) always "recreated" when the expiration timer aim to zero. root@xxx: ipfw -d show|grep '111.222.230.62' 15150 695255 (29s) STATE tcp 111.222.230.62 36313 <-> 111.222.13.195 2112 :nts 15150 320423 321696704 (300s) STATE tcp 111.222.230.62 60759 <-> 111.222.13.195 49758 :nts The issue is with the second remote server. When I transmit a very big file, the control channel does not "recreated" and transmitting this file and all the next is always fails. root@xxx: ipfw -d show|grep '111.222.0.7' 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts 03200 594622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts root@xxx: ipfw -d show|grep '111.222.0.7' 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts The main server/router uses IPFW and in most places dynamic rules. Is workaround I have added one rule on external interface: $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue But I want find the problem. Thanks, Vitaly ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: IPFW and FTP client behind NAT
On 14/2/18 2:35 pm, wishmaster wrote: Hi, colleagues. I have the main server/router and Samba server behind this one. This Samba server at every night sends some data via FTP to another server on the Internet. The first remote server is under my power and use about the same configuration as main plus FTPD (port 2112) daemon. The second remote server is not in my power and we use is as backup storage and as I know OS is f...ing Linux. When I connect to the first server and transmit a very big file with transmission duration > 300 sec, the control channel (port pair 36313 <-> 2112) always "recreated" when the expiration timer aim to zero. root@xxx: ipfw -d show|grep '111.222.230.62' 15150 695255 (29s) STATE tcp 111.222.230.62 36313 <-> 111.222.13.195 2112 :nts 15150 320423 321696704 (300s) STATE tcp 111.222.230.62 60759 <-> 111.222.13.195 49758 :nts The issue is with the second remote server. When I transmit a very big file, the control channel does not "recreated" and transmitting this file and all the next is always fails. root@xxx: ipfw -d show|grep '111.222.0.7' 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts 03200 594622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts root@xxx: ipfw -d show|grep '111.222.0.7' 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts The main server/router uses IPFW and in most places dynamic rules. Is workaround I have added one rule on external interface: $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue But I want find the problem. Thanks, Vitaly ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" can you check the values of the keep-alive timers on all 3 systems? And possibly the firewall on system3 may block keepalive packets.. [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl net.inet.tcp.always_keepalive net.inet.tcp.always_keepalive: 1 [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl net.inet.tcp.keepidle net.inet.tcp.keepidle: 720 that's 2 hours for example. setting it to less than 30 should make your control session include keepalive packets also look at your ipfw table and see if this can help you: Dynamic rules expire after some time, which depends on the status of the flow and the setting of some sysctl variables. See Section SYSCTL VARIABLES for more details. For TCP sessions, dynamic rules can be instructed to periodically send keepalive packets to refresh the state of the rule when it is about to expire. See Section EXAMPLES for more examples on how to use dynamic rules. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: IPFW and FTP client behind NAT
On 14.02.2018 09:35, wishmaster wrote: > The issue is with the second remote server. When I transmit a very big file, > the control channel does not "recreated" and transmitting this file and all > the next is always fails. > > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> > 111.222.0.7 44678 :nts > 03200 594622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 > 21 :nts > > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> > 111.222.0.7 44678 :nts > > The main server/router uses IPFW and in most places dynamic rules. Is > workaround I have added one rule on external interface: > > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue > > But I want find the problem. ipfw starts send keep-alive TCP segments when dynamic state's lifetime is below than 20 seconds. If foreign host replies to keep-alive segment, the state's lifetime will be bumped up to 300 seconds (by default). Otherwise the state will be expired. In your case I guess the foreign host doesn't reply to keep-alive segments, probably due to it has lower value of state's lifetime. And when your host starts sending keep-alive requests, the foreign host has already dropped this state. You can try to decrease net.inet.ip.fw.dyn_ack_lifetime value and determine the value that will be enough for this host. For example, set it to 250, 200, 150, 100. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re[2]: IPFW and FTP client behind NAT
--- Original message --- From: "Julian Elischer" Date: 15 February 2018, 07:51:34 > On 14/2/18 2:35 pm, wishmaster wrote: > > Hi, colleagues. > > > > I have the main server/router and Samba server behind this one. This Samba > > server at every night sends some data via FTP to another server on the > > Internet. > > The first remote server is under my power and use about the same > > configuration as main plus FTPD (port 2112) daemon. > > The second remote server is not in my power and we use is as backup storage > > and as I know OS is f...ing Linux. > > > > When I connect to the first server and transmit a very big file with > > transmission duration > 300 sec, the control channel (port pair 36313 <-> > > 2112) always "recreated" when the expiration timer aim to zero. > > > > root@xxx: ipfw -d show|grep '111.222.230.62' > > 15150 69 5255 (29s) STATE tcp 111.222.230.62 36313 <-> 111.222.13.195 2112 > > :nts > > 15150 320423 321696704 (300s) STATE tcp 111.222.230.62 60759 <-> > > 111.222.13.195 49758 :nts > > > > The issue is with the second remote server. When I transmit a very big > > file, the control channel does not "recreated" and transmitting this file > > and all the next is always fails. > > > > root@xxx: ipfw -d show|grep '111.222.0.7' > > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> > > 111.222.0.7 44678 :nts > > 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts > > > > root@xxx: ipfw -d show|grep '111.222.0.7' > > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> > > 111.222.0.7 44678 :nts > > > > The main server/router uses IPFW and in most places dynamic rules. Is > > workaround I have added one rule on external interface: > > > > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue > > > > But I want find the problem. > > > > Thanks, > > Vitaly > > ___ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" > > > > can you check the values of the keep-alive timers on all 3 systems? > > And possibly the firewall on system3 may block keepalive packets.. I think as well. Unfortunately this host is not mine. > [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl > net.inet.tcp.always_keepalive > net.inet.tcp.always_keepalive: 1 > > [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl > net.inet.tcp.keepidle > net.inet.tcp.keepidle: 720 > > that's 2 hours for example. > > setting it to less than 30 should make your control session > include keepalive packets net.inet.tcp.keepidle=29 doesn't help In any case, thanks for your attention. -- Vitaly ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
