From owner-freebsd-ipfw@freebsd.org Thu Feb 15 05:51:24 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C38DFF238C2 for ; Thu, 15 Feb 2018 05:51:24 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 71C5883E79 for ; Thu, 15 Feb 2018 05:51:24 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (203-59-173-201.dyn.iinet.net.au [203.59.173.201]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w1F5pD7L006900 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 14 Feb 2018 21:51:16 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: IPFW and FTP client behind NAT To: wishmaster , freebsd-ipfw@freebsd.org References: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> From: Julian Elischer Message-ID: Date: Thu, 15 Feb 2018 13:51:07 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2018 05:51:25 -0000 On 14/2/18 2:35 pm, wishmaster wrote: > Hi, colleagues. > > I have the main server/router and Samba server behind this one. This Samba server at every night sends some data via FTP to another server on the Internet. > The first remote server is under my power and use about the same configuration as main plus FTPD (port 2112) daemon. > The second remote server is not in my power and we use is as backup storage and as I know OS is f...ing Linux. > > When I connect to the first server and transmit a very big file with transmission duration > 300 sec, the control channel (port pair 36313 <-> 2112) always "recreated" when the expiration timer aim to zero. > > root@xxx: ipfw -d show|grep '111.222.230.62' > 15150 69 5255 (29s) STATE tcp 111.222.230.62 36313 <-> 111.222.13.195 2112 :nts > 15150 320423 321696704 (300s) STATE tcp 111.222.230.62 60759 <-> 111.222.13.195 49758 :nts > > The issue is with the second remote server. When I transmit a very big file, the control channel does not "recreated" and transmitting this file and all the next is always fails. > > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts > 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts > > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts > > The main server/router uses IPFW and in most places dynamic rules. Is workaround I have added one rule on external interface: > > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue > > But I want find the problem. > > Thanks, > Vitaly > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > can you check the values of the keep-alive timers on all 3 systems? And possibly the firewall on system3 may block keepalive packets.. [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl net.inet.tcp.always_keepalive net.inet.tcp.always_keepalive: 1 [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl net.inet.tcp.keepidle net.inet.tcp.keepidle: 7200000 that's 2 hours for example. setting it to less than 300000 should make your control session include keepalive packets also look at your ipfw table and see if this can help you:      Dynamic rules expire after some time, which depends on the status of the      flow and the setting of some sysctl variables.  See Section SYSCTL      VARIABLES for more details.  For TCP sessions, dynamic rules can be      instructed to periodically send keepalive packets to refresh the state of      the rule when it is about to expire.      See Section EXAMPLES for more examples on how to use dynamic rules.