Hehehe.. Glad that you were able to track that one down Mike... And I'll second that motion on "retiring" that OS... If the base machine specs are up to it, maybe another Linux workstation is in the offing? Or it ould be a good place to stick Samba 2.2.2a on, and make another server out of it? Or a testbed machine for VPN support via IPSEC? Or....... LoLL just kidding.. Go with whatever you need on that box, as I have no idea of the apps you're running on it...
Good luck !!! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Burger Sent: November 13, 2001 6:51 PM To: [EMAIL PROTECTED] Subject: RE: Slow FTP from behind Netfilter/IPTables firewall. I just did a little more digging...it looks like the problem is restricted to one machine behind the firewall...an OS/2 system. The Windows machiens seem to be able to download fine. The reason I didn't notice it, at first, was that I was trying to download ISO images, and the only system I have with a burner is my OS/2 machine. Figures... Well, I've been meaning to retire that machine...or, at least, that OS. On Tue, 13 Nov 2001, Mike Burger wrote: > I'll answer in-line, if that's ok. > > On Tue, 13 Nov 2001, Robert wrote: > > > Hi Mike, > > > > This particular question just begs for more info, because the > > underlying issue is one of performance vs setup of your firewall.. > > > > For example, how about FTP'ing from the firewall to an INTERNAL > > server? What's the speed of *that* transfer?? > > FTP transfers from the server/firewall to workstations inside the > firewall, over the 10BaseT network, run between 350 and 450K/s > > > What's the specs on the machine that you setup as the firewall? What > > kind of NIC's (type, speed, settings) are you using? Are you using > > NAT? > > PII 300, 256MB RAM, 6GB HD housing /boot and /, 30BG HD housing swap, > /home and /var (both drives EIDE). Both NICs in the firewall machine are > 3C905B cards. > > > What release of Seawolf are you using? Any upgrades or patches? > > Fully up2date'd Seawolf, with the SGI XFS kernels. I've tried a few > different kernel versions (2.4.3, 2.4.5, currently 2.4.9). > > > How about other types of transfers from the clients, such as HTTP > > downloads? Do they also fare as badly? > > Nope...http seems to run quite well. > > > While I agree with you, your setup should NOT be showing such a > > large discrepancy in download speeds (considering that you should be > > able to sustain well over 100kb/sec downloads with your setup, > > assuming you have a full T1 line available (theoretically, you > > should be able to hit a max of 192Kbytes/sec minus overhead and > > latency issues)), and 3Kb/sec is WAYYYY too slow. But I'd also > > suggest that your 40 - 80Kb/sec is also off by half at least... That > > indicates that either you're not hitting a fast server, or your > > firewall isn't up to the task of maintaining available wirespeed > > transfers... Probably due to setup issues (conflicts in HW setup, > > shared IRQ's on devices that don't share well, inadequate device > > capabilities (like ISA-based NIC's instead of PCI, etc). > > Well, the downloads, lately, have been ISO downloads from RedHat's > site, > so the 40-80K/s, given that there is other traffic on the T1 in question, > probably isn't that bad. > > As to IRQ sharing, you could have a point. Both NICs seem to be > sharing > IRQ 11, though they are both PCI cards: > > eth0 Link encap:Ethernet HWaddr 00:10:4B:2F:E6:51 > inet addr:216.140.122.113 Bcast:216.140.122.127 Mask:255.255.255.192 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:4029450 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2909234 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > Interrupt:11 Base address:0xe400 > > eth1 Link encap:Ethernet HWaddr 00:10:5A:AB:02:CF > inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:681387 errors:12 dropped:0 overruns:0 frame:12 > TX packets:1580027 errors:0 dropped:0 overruns:0 carrier:0 > collisions:196625 txqueuelen:100 > Interrupt:11 Base address:0xec00 > > > Anyways, I'm off to work for the day, but if you'd post back some of > > the specifics of your installation, I'd be happy to give it a > > look-see and see if there's any glaring discrepancies with it... > > Other than that, if my IPTables setup might yield a clue, I'll be > happy to > put that up, too. > > BTW, the following IPT modules are loaded (IPtables list from lsmod): > > ipt_MASQUERADE 2397 1 (autoclean) > iptable_nat 20648 1 (autoclean) [ip_nat_ftp ipt_MASQUERADE] > iptable_mangle 2766 0 (autoclean) (unused) > ipt_LOG 4292 3 (autoclean) > ipt_state 1569 3 (autoclean) > ip_conntrack 21154 3 (autoclean) [ip_nat_ftp ip_conntrack_ftp > ipt_MASQUERADE iptable_nat ipt_state] > ipt_limit 1998 4 (autoclean) > iptable_filter 2757 0 (autoclean) (unused) > ip_tables 13775 10 [ipt_REJECT ipt_MASQUERADE iptable_nat > iptable_mangle ipt_LOG ipt_state ipt_limit iptable_filter] > > Thanks. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Burger > > Sent: November 13, 2001 8:49 AM > > To: [EMAIL PROTECTED] > > Subject: Slow FTP from behind Netfilter/IPTables firewall. > > > > > > My firewall is connected to a relatively low use T1 by way of 100MB > > switch. > > > > Performing FTP downloads, from a console session on the > > firewall/server, I routinely see speeds between 40 and 80 K/s. > > > > The systems behind the firewall, however, can't seem to get FTP > > downloads that go any faster than 3K/s. These systems are connected > > to the firewall by 10Meg hub, but that really shouldn't make a > > difference...especially not that much of a difference. > > > > Does anyone have any idea what might be causing such a massive speed > > discrepancy, and how I might fix it? > > > > If necessary, I can post my ruleset(s). > > > > Thanks. > > > > --Mike > > > > > > > > _______________________________________________ > > Seawolf-list mailing list > > [EMAIL PROTECTED] > > https://listman.redhat.com/mailman/listinfo/seawolf-list > > > > > > > > _______________________________________________ > > Seawolf-list mailing list > > [EMAIL PROTECTED] > > https://listman.redhat.com/mailman/listinfo/seawolf-list > > > > > > _______________________________________________ > Seawolf-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/seawolf-list > _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
