I'll answer in-line, if that's ok.
On Tue, 13 Nov 2001, Robert wrote:
> Hi Mike,
>
> This particular question just begs for more info, because the underlying
> issue is one of performance vs setup of your firewall..
>
> For example, how about FTP'ing from the firewall to an INTERNAL server?
> What's the speed of *that* transfer??
FTP transfers from the server/firewall to workstations inside the
firewall, over the 10BaseT network, run between 350 and 450K/s
> What's the specs on the machine that you setup as the firewall?
> What kind of NIC's (type, speed, settings) are you using?
> Are you using NAT?
PII 300, 256MB RAM, 6GB HD housing /boot and /, 30BG HD housing swap,
/home and /var (both drives EIDE). Both NICs in the firewall machine are
3C905B cards.
> What release of Seawolf are you using? Any upgrades or patches?
Fully up2date'd Seawolf, with the SGI XFS kernels. I've tried a few
different kernel versions (2.4.3, 2.4.5, currently 2.4.9).
> How about other types of transfers from the clients, such as HTTP
> downloads? Do they also fare as badly?
Nope...http seems to run quite well.
> While I agree with you, your setup should NOT be showing such a large
> discrepancy in download speeds (considering that you should be able to
> sustain well over 100kb/sec downloads with your setup, assuming you have
> a full T1 line available (theoretically, you should be able to hit a
> max of 192Kbytes/sec minus overhead and latency issues)), and 3Kb/sec
> is WAYYYY too slow. But I'd also suggest that your 40 - 80Kb/sec is
> also off by half at least... That indicates that either you're not
> hitting a fast server, or your firewall isn't up to the task of
> maintaining available wirespeed transfers... Probably due to setup
> issues (conflicts in HW setup, shared IRQ's on devices that don't share
> well, inadequate device capabilities (like ISA-based NIC's instead of
> PCI, etc).
Well, the downloads, lately, have been ISO downloads from RedHat's site,
so the 40-80K/s, given that there is other traffic on the T1 in question,
probably isn't that bad.
As to IRQ sharing, you could have a point. Both NICs seem to be sharing
IRQ 11, though they are both PCI cards:
eth0 Link encap:Ethernet HWaddr 00:10:4B:2F:E6:51
inet addr:216.140.122.113 Bcast:216.140.122.127 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4029450 errors:0 dropped:0 overruns:0 frame:0
TX packets:2909234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xe400
eth1 Link encap:Ethernet HWaddr 00:10:5A:AB:02:CF
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:681387 errors:12 dropped:0 overruns:0 frame:12
TX packets:1580027 errors:0 dropped:0 overruns:0 carrier:0
collisions:196625 txqueuelen:100
Interrupt:11 Base address:0xec00
> Anyways, I'm off to work for the day, but if you'd post back some of the
> specifics of your installation, I'd be happy to give it a look-see and
> see if there's any glaring discrepancies with it...
Other than that, if my IPTables setup might yield a clue, I'll be happy to
put that up, too.
BTW, the following IPT modules are loaded (IPtables list from lsmod):
ipt_MASQUERADE 2397 1 (autoclean)
iptable_nat 20648 1 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
iptable_mangle 2766 0 (autoclean) (unused)
ipt_LOG 4292 3 (autoclean)
ipt_state 1569 3 (autoclean)
ip_conntrack 21154 3 (autoclean) [ip_nat_ftp ip_conntrack_ftp
ipt_MASQUERADE iptable_nat ipt_state]
ipt_limit 1998 4 (autoclean)
iptable_filter 2757 0 (autoclean) (unused)
ip_tables 13775 10 [ipt_REJECT ipt_MASQUERADE iptable_nat
iptable_mangle ipt_LOG ipt_state ipt_limit iptable_filter]
Thanks.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Burger
> Sent: November 13, 2001 8:49 AM
> To: [EMAIL PROTECTED]
> Subject: Slow FTP from behind Netfilter/IPTables firewall.
>
>
> My firewall is connected to a relatively low use T1 by way of 100MB
> switch.
>
> Performing FTP downloads, from a console session on the firewall/server,
> I routinely see speeds between 40 and 80 K/s.
>
> The systems behind the firewall, however, can't seem to get FTP
> downloads that go any faster than 3K/s. These systems are connected to
> the firewall by 10Meg hub, but that really shouldn't make a
> difference...especially not that much of a difference.
>
> Does anyone have any idea what might be causing such a massive speed
> discrepancy, and how I might fix it?
>
> If necessary, I can post my ruleset(s).
>
> Thanks.
>
> --Mike
>
>
>
> _______________________________________________
> Seawolf-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/seawolf-list
>
>
>
> _______________________________________________
> Seawolf-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/seawolf-list
>
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
