Date: Thu, 15 Feb 2018 09:36:52 +0200 From: wishmaster <artemrts@ukr.net> To: Julian Elischer <julian@freebsd.org> Cc: freebsd-ipfw@freebsd.org Subject: Re[2]: IPFW and FTP client behind NAT Message-ID: <1518679891.865683219.ckkl4k30@frv52.fwdcdn.com> In-Reply-To: <b21ac1bd-a84d-0bb7-8db5-c170fc45e3aa@freebsd.org> References: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> <b21ac1bd-a84d-0bb7-8db5-c170fc45e3aa@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Original message --- From: "Julian Elischer" <julian@freebsd.org> Date: 15 February 2018, 07:51:34 > On 14/2/18 2:35 pm, wishmaster wrote: > > Hi, colleagues. > > > > I have the main server/router and Samba server behind this one. This Samba server at every night sends some data via FTP to another server on the Internet. > > The first remote server is under my power and use about the same configuration as main plus FTPD (port 2112) daemon. > > The second remote server is not in my power and we use is as backup storage and as I know OS is f...ing Linux. > > > > When I connect to the first server and transmit a very big file with transmission duration > 300 sec, the control channel (port pair 36313 <-> 2112) always "recreated" when the expiration timer aim to zero. > > > > root@xxx: ipfw -d show|grep '111.222.230.62' > > 15150 69 5255 (29s) STATE tcp 111.222.230.62 36313 <-> 111.222.13.195 2112 :nts > > 15150 320423 321696704 (300s) STATE tcp 111.222.230.62 60759 <-> 111.222.13.195 49758 :nts > > > > The issue is with the second remote server. When I transmit a very big file, the control channel does not "recreated" and transmitting this file and all the next is always fails. > > > > root@xxx: ipfw -d show|grep '111.222.0.7' > > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts > > 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts > > > > root@xxx: ipfw -d show|grep '111.222.0.7' > > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts > > > > The main server/router uses IPFW and in most places dynamic rules. Is workaround I have added one rule on external interface: > > > > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue > > > > But I want find the problem. > > > > Thanks, > > Vitaly > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > can you check the values of the keep-alive timers on all 3 systems? > > And possibly the firewall on system3 may block keepalive packets.. I think as well. Unfortunately this host is not mine. > [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl > net.inet.tcp.always_keepalive > net.inet.tcp.always_keepalive: 1 > > [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl > net.inet.tcp.keepidle > net.inet.tcp.keepidle: 7200000 > > that's 2 hours for example. > > setting it to less than 300000 should make your control session > include keepalive packets net.inet.tcp.keepidle=299999 doesn't help In any case, thanks for your attention. -- Vitaly
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1518679891.865683219.ckkl4k30>