Re: ipchains latency
10-30 seconds for telnet? Even on a 386/33 this is just way too much delay to be
accounting for in packet filtering rules. I would suspect something else, like ident
checking which is waiting to time out and reverse-dns lookups timing out. Often these
two things are used to gather info to log about who's getting into your machine. If
they aren't there it can take a while for the lookup to time out. Check into that.
Chris Brown wrote:
> Hello,
>
> Our company LAN is divided into two segments, and I have
> just finished implementing firewalling rules for the router in between
> them, to protect the inner network from the outside world. After
> meticulously designing an installing my ipchains rules, I was
> dismayed by the performance hit they incurred. Before installing
> the firewalling rules, connection latency between the networks was
> normally below ~50ms. telnet, ftp, and other logins took less than
> a second to return a login prompt. Now, after installing the rules, a
> connection across the firewall takes at least 10sec, occasionally
> taking over 30sec. Once the login is successful, latency isn't too
> bad, but still noticably worse - well over 200-300ms - when in a
> telnet session. The router is a 386/33 with 16MB of RAM and two
> ISA Ethernet cards. Is this an underpowered machine for
> firewalling? I shouldn't think this is the problem... Are there any
> errors that add to connection latency that I should be looking for in
> the firewalling rules?
>
> Thanks,
> Chris Brown
> cbrown@seitz.com
> Seitz Technical Products Inc.
>
> *********************************************************************
> Chris Brown cbrown@seitz.com !!! HELP FIGHT SPAM !!!
>
> Join; www.cauce.org See; spam.abuse.net, spamsucks.com, www.cm.org
> ****************************************************************
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
--
Jens B. Jorgensen
jens.jorgensen@cmgisolutions.com
Reply to: