IPFW and FTP client behind NAT
Andrey V. Elsukov
bu7cher at yandex.ru
Thu Feb 15 10:08:54 UTC 2018
On 14.02.2018 09:35, wishmaster wrote:
> The issue is with the second remote server. When I transmit a very big file, the control channel does not "recreated" and transmitting this file and all the next is always fails.
>
> root at xxx: ipfw -d show|grep '111.222.0.7'
> 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts
> 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts
>
> root at xxx: ipfw -d show|grep '111.222.0.7'
> 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts
>
> The main server/router uses IPFW and in most places dynamic rules. Is workaround I have added one rule on external interface:
>
> $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue
>
> But I want find the problem.
ipfw starts send keep-alive TCP segments when dynamic state's lifetime
is below than 20 seconds. If foreign host replies to keep-alive segment,
the state's lifetime will be bumped up to 300 seconds (by default).
Otherwise the state will be expired.
In your case I guess the foreign host doesn't reply to keep-alive
segments, probably due to it has lower value of state's lifetime. And
when your host starts sending keep-alive requests, the foreign host has
already dropped this state.
You can try to decrease net.inet.ip.fw.dyn_ack_lifetime value and
determine the value that will be enough for this host. For example, set
it to 250, 200, 150, 100.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20180215/81101155/attachment.sig>
More information about the freebsd-ipfw
mailing list