I just did a little more digging...it looks like the problem is restricted to one machine behind the firewall...an OS/2 system.
The Windows machiens seem to be able to download fine. The reason I didn't notice it, at first, was that I was trying to download ISO images, and the only system I have with a burner is my OS/2 machine. Figures... Well, I've been meaning to retire that machine...or, at least, that OS. On Tue, 13 Nov 2001, Mike Burger wrote: > I'll answer in-line, if that's ok. > > On Tue, 13 Nov 2001, Robert wrote: > > > Hi Mike, > > > > This particular question just begs for more info, because the underlying > > issue is one of performance vs setup of your firewall.. > > > > For example, how about FTP'ing from the firewall to an INTERNAL server? > > What's the speed of *that* transfer?? > > FTP transfers from the server/firewall to workstations inside the > firewall, over the 10BaseT network, run between 350 and 450K/s > > > What's the specs on the machine that you setup as the firewall? > > What kind of NIC's (type, speed, settings) are you using? > > Are you using NAT? > > PII 300, 256MB RAM, 6GB HD housing /boot and /, 30BG HD housing swap, > /home and /var (both drives EIDE). Both NICs in the firewall machine are > 3C905B cards. > > > What release of Seawolf are you using? Any upgrades or patches? > > Fully up2date'd Seawolf, with the SGI XFS kernels. I've tried a few > different kernel versions (2.4.3, 2.4.5, currently 2.4.9). > > > How about other types of transfers from the clients, such as HTTP > > downloads? Do they also fare as badly? > > Nope...http seems to run quite well. > > > While I agree with you, your setup should NOT be showing such a large > > discrepancy in download speeds (considering that you should be able to > > sustain well over 100kb/sec downloads with your setup, assuming you have > > a full T1 line available (theoretically, you should be able to hit a > > max of 192Kbytes/sec minus overhead and latency issues)), and 3Kb/sec > > is WAYYYY too slow. But I'd also suggest that your 40 - 80Kb/sec is > > also off by half at least... That indicates that either you're not > > hitting a fast server, or your firewall isn't up to the task of > > maintaining available wirespeed transfers... Probably due to setup > > issues (conflicts in HW setup, shared IRQ's on devices that don't share > > well, inadequate device capabilities (like ISA-based NIC's instead of > > PCI, etc). > > Well, the downloads, lately, have been ISO downloads from RedHat's site, > so the 40-80K/s, given that there is other traffic on the T1 in question, > probably isn't that bad. > > As to IRQ sharing, you could have a point. Both NICs seem to be sharing > IRQ 11, though they are both PCI cards: > > eth0 Link encap:Ethernet HWaddr 00:10:4B:2F:E6:51 > inet addr:216.140.122.113 Bcast:216.140.122.127 Mask:255.255.255.192 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:4029450 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2909234 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > Interrupt:11 Base address:0xe400 > > eth1 Link encap:Ethernet HWaddr 00:10:5A:AB:02:CF > inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:681387 errors:12 dropped:0 overruns:0 frame:12 > TX packets:1580027 errors:0 dropped:0 overruns:0 carrier:0 > collisions:196625 txqueuelen:100 > Interrupt:11 Base address:0xec00 > > > Anyways, I'm off to work for the day, but if you'd post back some of the > > specifics of your installation, I'd be happy to give it a look-see and > > see if there's any glaring discrepancies with it... > > Other than that, if my IPTables setup might yield a clue, I'll be happy to > put that up, too. > > BTW, the following IPT modules are loaded (IPtables list from lsmod): > > ipt_MASQUERADE 2397 1 (autoclean) > iptable_nat 20648 1 (autoclean) [ip_nat_ftp ipt_MASQUERADE] > iptable_mangle 2766 0 (autoclean) (unused) > ipt_LOG 4292 3 (autoclean) > ipt_state 1569 3 (autoclean) > ip_conntrack 21154 3 (autoclean) [ip_nat_ftp ip_conntrack_ftp > ipt_MASQUERADE iptable_nat ipt_state] > ipt_limit 1998 4 (autoclean) > iptable_filter 2757 0 (autoclean) (unused) > ip_tables 13775 10 [ipt_REJECT ipt_MASQUERADE iptable_nat > iptable_mangle ipt_LOG ipt_state ipt_limit iptable_filter] > > Thanks. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Burger > > Sent: November 13, 2001 8:49 AM > > To: [EMAIL PROTECTED] > > Subject: Slow FTP from behind Netfilter/IPTables firewall. > > > > > > My firewall is connected to a relatively low use T1 by way of 100MB > > switch. > > > > Performing FTP downloads, from a console session on the firewall/server, > > I routinely see speeds between 40 and 80 K/s. > > > > The systems behind the firewall, however, can't seem to get FTP > > downloads that go any faster than 3K/s. These systems are connected to > > the firewall by 10Meg hub, but that really shouldn't make a > > difference...especially not that much of a difference. > > > > Does anyone have any idea what might be causing such a massive speed > > discrepancy, and how I might fix it? > > > > If necessary, I can post my ruleset(s). > > > > Thanks. > > > > --Mike > > > > > > > > _______________________________________________ > > Seawolf-list mailing list > > [EMAIL PROTECTED] > > https://listman.redhat.com/mailman/listinfo/seawolf-list > > > > > > > > _______________________________________________ > > Seawolf-list mailing list > > [EMAIL PROTECTED] > > https://listman.redhat.com/mailman/listinfo/seawolf-list > > > > > > _______________________________________________ > Seawolf-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/seawolf-list > _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
