|
|
On Tuesday 30 April 2002 8:58 pm, Andrew Greenburg wrote:
> Hi,
>
> I've been using an iptables-based firewall at the office for several
> months, and all of a sudden today I started having problems with opening
> network connections to UNIX hosts. The port opens, and then it sits there
> for about 60 seconds before it actually responds. After that, the
> connection works normally. My tcp/ip connections to NT-based servers work
> fine. There have been absolutely no changes to the configuration of the
> netfilter box.
>
> Any ideas?
Whenever I hear this sort of problem, I normally say "ident lookup".
I guess in your case (since you've had a working netfilter box for some
months with no recent changes), the question has to be - are the Unix boxes
ones which you;ve previously connected to without these delays, and have
there been any changes to those servers ? (Specifically, has anyone
installed TCP-wrappers on them ?)
To investigate the problem, it might be a good idea to put a logging rule on
your firewall (in the INPUT chain if you;re masquerading the clients behind
the firewall's own IP address; in the FORWARD chain if you're not) to see if
you;re getting any packets destined for TCP port 113 - the ident daemon.
If you don't want to change the firewall, put a packet sniffer on the outside
(ethereal would do nicely) and see if you're getting ident requests back from
the servers with the delays.
Hope this helps,
Antony.
|
|