HPE Community
Operating System - Linux
1829400 Members
1428 Online
109991 Solutions
New Discussion

ftp login slow to systems in DMZ

 
SOLVED
Go to solution
Bernie Vande Griend
Respected Contributor

‎09-12-2002 07:22 AM

‎09-12-2002 07:22 AM

ftp login slow to systems in DMZ

I have 2 Redhat 7.2 systems in a Firewall DMZ that if I ftp to them from anywhere outside that DMZ, the ftp login take around 30 seconds to come up. Ftp between the 2 systems does not have this delay.
The obvious response is, Bernie you doe-doe head, its a reverse DNS lookup issue. If it is though, is a very wierd one. Telnet to these 2 systems does not produce the delay. I have verified that it can nslookup my IP address from where I'm coming from. I also have a HP-UX system and a Redhat 6.2 system with the same resolv.conf information and they do not have this delay either.
Has anyone seen this on Redhat 7.1 & greater systems where there is a delay with ftp login but not telnet? I've missed with the wu-ftpd xinetd settings but nothing I've tried made a difference. Any ideas are appreciated.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
5 REPLIES 5
John Poff
Honored Contributor

‎09-12-2002 10:54 AM

‎09-12-2002 10:54 AM

Re: ftp login slow to systems in DMZ

Hi,

I setup a RedHat 7.2 box as an ftp server in our DMZ recently, and I had the same problem. It turned out that our network guy had given me the wrong gateway IP address to use. The IP address he first gave me would work but it was slow, just like you described. Once I got my default gateway set to the right IP it worked great.

JP
0 Kudos
Reply
Tim Clarke
Advisor

‎09-13-2002 01:16 AM

‎09-13-2002 01:16 AM

Solution

Re: ftp login slow to systems in DMZ

We had the same thing - it was port 113/TCP (ident) queries from the ftp login attempt. The ftp daemon tries to ident for it's log files. Allow them through the firewall and voila - instant reponse instead of timeout.
Reply
Paul R. Dittrich
Esteemed Contributor

‎09-13-2002 03:56 AM

‎09-13-2002 03:56 AM

Re: ftp login slow to systems in DMZ

You don't say what kind of firewall but I have seen this behavior with proxying firewalls. Some services are fine; some very slow due to differences in the proxy.
I'd look for ways to tweak performance for individual proxy services, otherwise consider changing ftp to a packet-filtering rule.

HTH,
Paul
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎09-13-2002 05:59 AM

‎09-13-2002 05:59 AM

Re: ftp login slow to systems in DMZ

Thanks for the feedback guys. Our gateway, netmask, network, and broadcast addresses are fine. I've double checked them and they work fine for other systems and services.

We have Checkpoint firewall, so it is not proxy-based.

I did not assign points to Tim yet, because I'm waiting for our firewall admin to make this change to try it out. This one seems to make sense. There should also be a way to disable this behavior with ftpd right? I thought that was the -I option, but it didn't seem to help.
I'll let everyone know if Tim's suggestion works.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎09-13-2002 07:17 AM

‎09-13-2002 07:17 AM

Re: ftp login slow to systems in DMZ

I fixed it. I'll give Tim the credit since he had the right problem in mind. It didn't work for us to make the change on the firewall though. Our firewall should have been letting identd out since the connections came from within the LAN and everything is then allowed.

However, I did some deeper research with wu-ftpd and found out how to disable identd. I later found this explanation from the wu-ftpd FAQ which is basically. what I did. Thanks again everyone.

From the wu-ftpd FAQ:
Issue: Logins to the ftp server take a long time, after that things run smooth

Possible causes: IDENT (RFC931) lookup is enabled in WU-FTPD. This has a timeout of 10 seconds. If the protocol (port 113) gets blocked by a firewall or suchlike, it will wait for timeout. If it is 30 seconds and you are using redhat 7.x with xinetd, disable AUTH in inetd as well. Change the entries in /etc/xinetd.d/ftp that read:

log_on_success += DURATION USERID
log_on_failure += USERID

Remove the 'USERID' from both. Any other time period: DNS is broken for the IP address the connection is coming from.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.