HPE Community
Operating System - Tru64 Unix
1832069 Members
2923 Online
110034 Solutions
New Discussion

Problem with firewalling

 
aladar
Occasional Contributor

‎03-10-2004 11:46 PM

‎03-10-2004 11:46 PM

Problem with firewalling

I want to place linux firewall in front of
Alphaserver DS-10. On firewall runs linux
bridging with bridge-nf code that makes
iptables see bridged IP packets.
On testserver (P3 750MHz, Solaris 8) it works good. When I put the firewall before it transfer speed is on FTP around 7800KB/s with or without firewall. When I put the firewall before Alphaserver DS-10 (true 64 UNIX) the transfer rate is around just 10KB/s without firewall is around 9500KB/s. When I put the firewall before my PC it works good with both servers. The DS10 server is in different subnet than machine
I was trying to connect from, test server was in same subnet.
Can some network settings on subnet where my server resides
cause such a problem of decreasing transfer rate because of adding bridging machine
even if it has not its own IP adress?
Or where else can be the problem? Thanks for advise a lot,
S.
0 Kudos
10 REPLIES 10
Ralf Puchner
Honored Contributor

‎03-11-2004 12:01 AM

‎03-11-2004 12:01 AM

Re: Problem with firewalling

maybe time to create a tcp dump and tune the Tru64 system for their requirements in this configuration. Have a look to best practise on www.tru64unix.compaq.com for some suggestions.
Help() { FirstReadManual(urgently); Go_to_it;; }
0 Kudos
aladar
Occasional Contributor

‎03-11-2004 02:31 AM

‎03-11-2004 02:31 AM

Re: Problem with firewalling

Is it question of tuning Tru64 system,
can't it be the problem of network
equipment, say some switch having problems
by adding a new device to network.
0 Kudos
Al Licause
Trusted Contributor

‎03-11-2004 06:58 AM

‎03-11-2004 06:58 AM

Re: Problem with firewalling

Without a lot more detail, you'd probably want to start, as Ralf suggests, using tcpdump to see just what is traversing the wire. Look for retransmissions, dropped packets, duplicates, pauses, etc.

0 Kudos
aladar
Occasional Contributor

‎03-11-2004 11:54 PM

‎03-11-2004 11:54 PM

Re: Problem with firewalling

OK, and some additional question,
does exist for Tru64 some free
packet filtering software, which
could I immediately use?
0 Kudos
Ralf Puchner
Honored Contributor

‎03-12-2004 12:00 AM

‎03-12-2004 12:00 AM

Re: Problem with firewalling

try to use the onboard man pages. "apropos" is the key word on every unix plattform.

using "apropos packet" you will find the information you need, e.g. packetfilter, screend etc.
Help() { FirstReadManual(urgently); Go_to_it;; }
0 Kudos
aladar
Occasional Contributor

‎03-14-2004 07:41 PM

‎03-14-2004 07:41 PM

Re: Problem with firewalling

What about IPFilter v.4.1,
does anyone know it, I've read it was tested on True64 5.1a, are there any problems
known it can cause? Can I use it without
worring about unwanted impact on my
running server?
0 Kudos
Ralf Puchner
Honored Contributor

‎03-16-2004 07:12 PM

‎03-16-2004 07:12 PM

Re: Problem with firewalling

have a look to the supported internet express kit containing different packages. OpenSource is not supported so you are on your own, but the internet express kit contains supported versions.
Help() { FirstReadManual(urgently); Go_to_it;; }
0 Kudos
Andreas Fassl
Frequent Advisor

‎03-24-2004 07:15 AM

‎03-24-2004 07:15 AM

Re: Problem with firewalling

Aladar,

what are the settings of your DS10 at the SRM console for the ethernet port?
>>> show ew*
at the srm console will give you the output.
I had sometimes problems with some combinations of fast ethernet and auto negotiation of the DEC tulip chips.

Could you please describe the complete setup:
- Switch hardware
- subnets (probably private networks)
- a small diagramm as pdf attachment

Another good tipp was already mentioned, please try some snooping with tcpdump.

Regards

Andreas
0 Kudos
Andreas Fassl
Frequent Advisor

‎03-24-2004 07:27 AM

‎03-24-2004 07:27 AM

Re: Problem with firewalling

Ok,

you asked - how to install tcpdump on your tru64 system.

In the newer releases it is already available, you only have to enable it.
Please read this in complete and be sure, that you know, what you are doing, I'm not responsible for any mistakes or a non functional system.

Step 1:
- Make a new kernel
# doconfig
Select step 4 (packetfilter)

Give it a name like tcpdump.
After compiling you'll find your brand new kernel in the directory /sys/tcpdump/vmunix (if you have choosen the name tcpdump).

Step 2:
# cd /
# mv vmunix vmunix.old (save the old kernel)
# cp /sys/tcpdump/vmunix /vmunix

and
# reboot

Step 3:

- creating packet filter devices
# cd /dev
# .MAKEDEV pfilt

....

and now enter a
# pfconfig +p +c tu0 (or if different the name of your network device you want to observe.


To learn more about tcpdump enter a
# man tcpdump

To observe the traffic to your destination host enter a
# tcpdump -s 300 -Nt host

0 Kudos
Joris Denayer
Respected Contributor

‎03-24-2004 08:45 AM

‎03-24-2004 08:45 AM

Re: Problem with firewalling

Hi Aladar,

I think indeed also that there is a duplex mismatch between the DS10 networkinterface and one of the other interfaces.
Both interfaces must have the same settings.
Or both in auto-negotiate mode
Or both in 10(0)/halfduplex
Or both in 10(0)/fullduplex.
Any other combination will give bad performance and a lot of errors.
You can not mix auto-negotiate ports with a fixed port. The auto-negotiation will detect the speed but will not detect the duplex mode and by consequence it will fallback to half-duplex.

BTW: It is not necessary to reboot your system.
You can also modify the portsettings with the lan_config command. See it's manpage.

Joris
To err is human, but to really faul things up requires a computer
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.