> When I attempt to ftp our server (192.139.75.6) it was taking up to > 30 sec to connect. (It should take 2 sec) I turned on logging and this is > the output. > > Nov 27 22:12:12 firewall kernel: Packet log: remote DENY eth0 PROTO=6 > 192.139.75.6:1083 192.139.75.156:113 L=60 S=0x00 I=19689 F=0x4000 T=63 SYN > (#10) > > I went to http://www.echogent.com/cgi-bin/fwlog.pl > <http://www.echogent.com/cgi-bin/fwlog.pl> and this is what it told me. > A TCP packet to this port (113) is associated with the ident service. If > you're running this service on your firewall or on your LAN, with the > intention of offering external access to it, then your firewall may be > mis-configured. If you're *not* running this service, and have no idea what > it is, it's likely someone trying to take advantage of your system in some > manner. You may want to investigate 192.139.75.6 further and see if there's > an Administrative Contact there whom you could email this packet log to. > I am running Dachstein rc2. with Seawall 4.1. I have ftp_masq > enabled. Anyone have any ideas as to what is happening here?
The ftp server is trying to talk to your ident server to find out (and log) who you are. Since the packets are being denied (droped), the ftp server has to wait for the ident lookup to time-out, before it connects you. Possible solutions include: Turn off ident logging on the remote end. This form of logging is mainly a left-over from the early days of arpanet, when everyone 'played by the rules', and is fairly useless in today, as most anyone can spoof their ident replies. Allow ident through your firewall, but don't run an ident service. This will send a TCP reset to the querying FTP server, rather than simply dropping the packets when the ident service is queried, speeding up your connect times. Allow ident through your firewall, and run an ident service on your firewall, or port-forward ident queries to an internal system. This is really only required if you're using a service that *REQUIRES* you to reply to ident queries (some IRC servers behave this way). You should run one of the many available spoofing ident servers (which return the same pre-configured user data regardless of the query and current user), since most 'real' ident servers have easily exploitable vunerabilities (typically DOS attacks). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
