Re: IPFilter 4.1.16

------=_Part_12517_27720855.1166570515539
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Installed the new 4.1.16 on Sol10/x64
- Compiles and installs great
- State problem gone!

However still experiencing unexplainable slows at the start of connections
which are being NAT'd by the firewall.

- FTP NAT (from internal segment) outbound works great,
- but every other kind of NAT seems unusually slow starting the connection.

Although I originally thought it was a Solaris tuning issue, I'm beginning
to think its more of a NAT problem.

To qualify, the same ipf.conf and ipnat.conf rules run fine on a
BSD/IPF 3.4firewall.
Also, packets from the Solaris firewall itself seem to have no delays. It
only seems to be packets being NAT'd by the Solaris firewall that are
slowed.

Snoop shows the packets leaving the firewall promptly, but it takes the
remote host about 2-3 seconds to respond with a prompt.

ie. The connection seems to open fine, but in the case of, for example HTTP,
SSH or telnet, things take 2-3 seconds before the connection is usable. eg.
The SSH daemon on the remote site doesn't seem to come-up until after 2-3
secs of the conn being established.

I've read and re-read the FAQ, particularly about the ident port stuff, but
I don't think that's applicable. I've also analyzed packets with snoop to
compare them to packets generated by a similar functioning IPF 3.4 BSD
firewall and it all looks the same.

Seems odd that FTP NAT is speedy but every other NAT takes a while.
Beginning to wonder if the regular NAT code has a problem that the FTP NAT
proxy gets around.

Anybody got any ideas?

------=_Part_12517_27720855.1166570515539
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Installed the new 4.1.16 on Sol10/x64<br>- Compiles and installs great<br>- State problem gone! <br><br>However still experiencing unexplainable slows at the start of connections which are being NAT'd by the firewall.<br>
<br>- FTP NAT (from internal segment) outbound works great, <br>- but every other kind of NAT seems unusually slow starting the connection.<br><br>Although I originally thought it was a Solaris tuning issue, I'm beginning to think its more of a NAT problem.
<br><br>To qualify, the same ipf.conf and ipnat.conf rules run fine on a BSD/IPF 3.4 firewall.<br>Also, packets from the Solaris firewall itself seem to have no delays. It only seems to be packets being NAT'd by the Solaris firewall that are slowed.
<br><br>Snoop shows the packets leaving the firewall promptly, but it takes the remote host about 2-3 seconds to respond with a prompt.<br><br>ie. The connection seems to open fine, but in the case of, for example HTTP, SSH or telnet, things take 2-3 seconds before the connection is usable. eg. The SSH daemon on the remote site doesn't seem to come-up until after 2-3 secs of the conn being established.
<br><br>I've read and re-read the FAQ, particularly about the ident port stuff, but I don't think that's applicable. I've also analyzed packets with snoop to compare them to packets generated by a similar functioning IPF
3.4 BSD firewall and it all looks the same.<br><br>Seems odd that FTP NAT is speedy but every other NAT takes a while. Beginning to wonder if the regular NAT code has a problem that the FTP NAT proxy gets around.<br><br>Anybody got any ideas?
<br>

------=_Part_12517_27720855.1166570515539--