From owner-freebsd-ipfw@freebsd.org Thu Feb 15 07:59:18 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23946F051FE for ; Thu, 15 Feb 2018 07:59:18 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv189.fwdcdn.com (frv189.fwdcdn.com [212.42.77.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B075D87D3C for ; Thu, 15 Feb 2018 07:59:17 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from [10.10.80.2] (helo=frv198.fwdcdn.com) by frv189.fwdcdn.com with esmtp ID 1emE6G-0001gG-2Q for freebsd-ipfw@freebsd.org; Thu, 15 Feb 2018 09:37:00 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-Id:Cc:To:Subject:From:Date:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9sMKxhe7h5o4HCI8qhsg201moZGQUxs9ujBFckdzIM4=; b=v+/3uuqaHhlSusjt5H9hg+C+RQ OXRK8Eo53rNPFjW5LPJahLWjDkaR7Bx7WcDNFE8ojw5L/rta6McnVJoz2MG8TRc1E6zTdlQo9SFP6 qPvoVSRqjvMEiKkei8l4yPc8S8YOKnmsGBInkLFbZxZniFdYI1HJzmV0qb+3WmXyRDdw=; Received: from [10.10.10.52] (helo=frv52.fwdcdn.com) by frv198.fwdcdn.com with smtp ID 1emE68-000EkH-3c for freebsd-ipfw@freebsd.org; Thu, 15 Feb 2018 09:36:52 +0200 Date: Thu, 15 Feb 2018 09:36:52 +0200 From: wishmaster Subject: Re[2]: IPFW and FTP client behind NAT To: Julian Elischer Cc: freebsd-ipfw@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1518679891.865683219.ckkl4k30@frv52.fwdcdn.com> In-Reply-To: References: <1518588674.863238377.1k6sp25r@frv52.fwdcdn.com> X-Reply-Action: reply Received: from artemrts@ukr.net by frv52.fwdcdn.com; Thu, 15 Feb 2018 09:36:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2018 07:59:18 -0000 --- Original message --- From: "Julian Elischer" Date: 15 February 2018, 07:51:34 > On 14/2/18 2:35 pm, wishmaster wrote: > > Hi, colleagues. > > > > I have the main server/router and Samba server behind this one. This Samba server at every night sends some data via FTP to another server on the Internet. > > The first remote server is under my power and use about the same configuration as main plus FTPD (port 2112) daemon. > > The second remote server is not in my power and we use is as backup storage and as I know OS is f...ing Linux. > > > > When I connect to the first server and transmit a very big file with transmission duration > 300 sec, the control channel (port pair 36313 <-> 2112) always "recreated" when the expiration timer aim to zero. > > > > root@xxx: ipfw -d show|grep '111.222.230.62' > > 15150 69 5255 (29s) STATE tcp 111.222.230.62 36313 <-> 111.222.13.195 2112 :nts > > 15150 320423 321696704 (300s) STATE tcp 111.222.230.62 60759 <-> 111.222.13.195 49758 :nts > > > > The issue is with the second remote server. When I transmit a very big file, the control channel does not "recreated" and transmitting this file and all the next is always fails. > > > > root@xxx: ipfw -d show|grep '111.222.0.7' > > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts > > 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 21 :nts > > > > root@xxx: ipfw -d show|grep '111.222.0.7' > > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> 111.222.0.7 44678 :nts > > > > The main server/router uses IPFW and in most places dynamic rules. Is workaround I have added one rule on external interface: > > > > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue > > > > But I want find the problem. > > > > Thanks, > > Vitaly > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > can you check the values of the keep-alive timers on all 3 systems? > > And possibly the firewall on system3 may block keepalive packets.. I think as well. Unfortunately this host is not mine. > [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl > net.inet.tcp.always_keepalive > net.inet.tcp.always_keepalive: 1 > > [jelischer@bob ~/p4/private/inverness-integ1]$ sysctl > net.inet.tcp.keepidle > net.inet.tcp.keepidle: 7200000 > > that's 2 hours for example. > > setting it to less than 300000 should make your control session > include keepalive packets net.inet.tcp.keepidle=299999 doesn't help In any case, thanks for your attention. -- Vitaly