Date: Thu, 15 Feb 2018 13:07:50 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: wishmaster <artemrts@ukr.net>, freebsd-ipfw@freebsd.org Subject: Re: IPFW and FTP client behind NAT Message-ID: <5a3df88d-0a08-08df-2851-38bf54940834@yandex.ru> In-Reply-To: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> References: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --A8fu1TzL0vOwLyE1Px5WFQWv0JabUKmh8 Content-Type: multipart/mixed; boundary="Y3ty6SCdWz0WbIM5tKTn3EObnan29Tsxn"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: wishmaster <artemrts@ukr.net>, freebsd-ipfw@freebsd.org Message-ID: <5a3df88d-0a08-08df-2851-38bf54940834@yandex.ru> Subject: Re: IPFW and FTP client behind NAT References: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> In-Reply-To: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> --Y3ty6SCdWz0WbIM5tKTn3EObnan29Tsxn Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 14.02.2018 09:35, wishmaster wrote: > The issue is with the second remote server. When I transmit a very big = file, the control channel does not "recreated" and transmitting this file= and all the next is always fails. >=20 > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111= =2E222.0.7 44678 :nts > 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.2= 22.0.7 21 :nts >=20 > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111= =2E222.0.7 44678 :nts >=20 > The main server/router uses IPFW and in most places dynamic rules. Is w= orkaround I have added one rule on external interface: >=20 > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issu= e >=20 > But I want find the problem. ipfw starts send keep-alive TCP segments when dynamic state's lifetime is below than 20 seconds. If foreign host replies to keep-alive segment, the state's lifetime will be bumped up to 300 seconds (by default). Otherwise the state will be expired. In your case I guess the foreign host doesn't reply to keep-alive segments, probably due to it has lower value of state's lifetime. And when your host starts sending keep-alive requests, the foreign host has already dropped this state. You can try to decrease net.inet.ip.fw.dyn_ack_lifetime value and determine the value that will be enough for this host. For example, set it to 250, 200, 150, 100. --=20 WBR, Andrey V. Elsukov --Y3ty6SCdWz0WbIM5tKTn3EObnan29Tsxn-- --A8fu1TzL0vOwLyE1Px5WFQWv0JabUKmh8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqFW/YACgkQAcXqBBDI oXoviwf+Pcu5BicozqY46FMqv3mx2zbmasVzef1L20ERy1kqg+b2D3JNbO3dgWjk R2XvxMJg2PkXIVM60Ul+ykbGh5XQbEvRP9ef7B/RRQ31WbKkrdR0N9ZpKyX7kYCq u8x6YKA1XJEYB6BACvaNuAsH0ejdeml+qJpedUjkPBYa9znigBF7KQ06fPSTpls2 QFDibxGjtPr1f7nYylb08HGj5fFLPcnftREuWrktsSyZwNPXs0kacpx7jl//WNUF Y3ORoPB+aS68pa3CRfkZ8VoHWmTK3lQ+3aGt2TPDp3hq4F/8SR0PC/pzfWw1v0Pu MEo4pXXb8t4mGrUwukS1wxpeP86uTQ== =A7WG -----END PGP SIGNATURE----- --A8fu1TzL0vOwLyE1Px5WFQWv0JabUKmh8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5a3df88d-0a08-08df-2851-38bf54940834>