I am having some weird issues that I am thinking has to do with shorewall (maybe wrong). I have a two interface setup that had been working fine. On the firewall apache is running with a couple of virtual hosts. When on the loc zone one of the virtual hosts loads extremely slow to the point of timeout some of the time. However all the other virtual hosts load fine. Also if you are coming to the web server from the net zone the page loads just fine. This may not even be a shorewall problem but it seems weird that it works fine when not on the local network but very poorly when on the local network. Any suggestions on where I should start to look to track this problem down? Running shorewall 1.4.10c with Apache version 2.0.40 -- _ /-\ ndrew andrew@pure-wireless.net http://www.pure-wireless.net
Andrew Niemantsverdriet wrote:> I am having some weird issues that I am thinking has to do with > shorewall (maybe wrong). I have a two interface setup that had been > working fine. On the firewall apache is running with a couple of virtual > hosts. When on the loc zone one of the virtual hosts loads extremely > slow to the point of timeout some of the time. However all the other > virtual hosts load fine. Also if you are coming to the web server from > the net zone the page loads just fine. > > This may not even be a shorewall problem but it seems weird that it > works fine when not on the local network but very poorly when on the > local network. Any suggestions on where I should start to look to track > this problem down? > > Running shorewall 1.4.10c with Apache version 2.0.40 >I would start with: a) Check the MTU on all interfaces involved in local communication; they should all be set to 1500. b) Check all hardware connecting the firewall to the local system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-07-15 at 13:47, Tom Eastep wrote:> Andrew Niemantsverdriet wrote: > > I am having some weird issues that I am thinking has to do with > > shorewall (maybe wrong). I have a two interface setup that had been > > working fine. On the firewall apache is running with a couple of virtual > > hosts. When on the loc zone one of the virtual hosts loads extremely > > slow to the point of timeout some of the time. However all the other > > virtual hosts load fine. Also if you are coming to the web server from > > the net zone the page loads just fine. > > > > This may not even be a shorewall problem but it seems weird that it > > works fine when not on the local network but very poorly when on the > > local network. Any suggestions on where I should start to look to track > > this problem down? > > > > Running shorewall 1.4.10c with Apache version 2.0.40 > > > I would start with: > > a) Check the MTU on all interfaces involved in local communication; they > should all be set to 1500. > b) Check all hardware connecting the firewall to the local system.I did both of those things. I disconnected the LAN from the shorewall box so I eliminated all hardware except for a hub. So it was my laptop to hub then to shorewall box and out to the net. So not either one of those it is just affecting port 80 to one virtual host and then port 25 (SMTP) also seems to be affected across the board. So I doubt it is a physical layer problem.
Andrew Niemantsverdriet wrote:> On Thu, 2004-07-15 at 13:47, Tom Eastep wrote: > >>Andrew Niemantsverdriet wrote: >> >>>I am having some weird issues that I am thinking has to do with >>>shorewall (maybe wrong). I have a two interface setup that had been >>>working fine. On the firewall apache is running with a couple of virtual >>>hosts. When on the loc zone one of the virtual hosts loads extremely >>>slow to the point of timeout some of the time. However all the other >>>virtual hosts load fine. Also if you are coming to the web server from >>>the net zone the page loads just fine. >>> >>>This may not even be a shorewall problem but it seems weird that it >>>works fine when not on the local network but very poorly when on the >>>local network. Any suggestions on where I should start to look to track >>>this problem down? >>> >>>Running shorewall 1.4.10c with Apache version 2.0.40 >>> >> >>I would start with: >> >>a) Check the MTU on all interfaces involved in local communication; they >>should all be set to 1500. >>b) Check all hardware connecting the firewall to the local system. > > > I did both of those things. I disconnected the LAN from the shorewall > box so I eliminated all hardware except for a hub. So it was my laptop > to hub then to shorewall box and out to the net. So not either one of > those it is just affecting port 80 to one virtual host and then port 25 > (SMTP) also seems to be affected across the board. So I doubt it is a > physical layer problem.Have you looked at the traffic with ethereal? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > Have you looked at the traffic with ethereal? >You can also "shorewall clear" -- if browsing the virtual host is suddenly blazingly fast then the problem is in your Shorewall configuration. If it is still slow, look elsewhere. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-07-15 at 14:16, Tom Eastep wrote:> Tom Eastep wrote: > > Have you looked at the traffic with ethereal? > > > > You can also "shorewall clear" -- if browsing the virtual host is > suddenly blazingly fast then the problem is in your Shorewall > configuration. If it is still slow, look elsewhere. > > -TomGreat well I will try both of those things. Thanks for you help. -- _ /-\ ndrew andrew@pure-wireless.net http://www.pure-wireless.net
So I have narrowed it down to a shorewall problem, not sure where to look in my configuration files to fix it though. The slow web page loading may be an apache problem but sending mail also hangs and it hangs for all hosts. If I telnet into my LAN side of things it takes 20-40 seconds to respond. However if I telnet to localhost or the my public IP the connection connects right away. Tom suggested yesterday to shorewall clear and see if that solves anything. By the time I had an opportunity to try that the problem went away so that yielded no results. Hardware and network are all functioning as they should and then only happens to hosts on the local zone. I initially thought that it was a DNS issue but everything checked out fine there. Any more ideas what could be causing such intermittent problems?
Andrew Niemantsverdriet wrote:> So I have narrowed it down to a shorewall problem, not sure where to > look in my configuration files to fix it though. The slow web page > loading may be an apache problem but sending mail also hangs and it > hangs for all hosts. If I telnet into my LAN side of things it takes > 20-40 seconds to respond. However if I telnet to localhost or the my > public IP the connection connects right away.Almost has to be DNS or dropping Auth connection requests. But the latter wouldn''t suddenly start working...> > Tom suggested yesterday to shorewall clear and see if that solves > anything. By the time I had an opportunity to try that the problem went > away so that yielded no results. Hardware and network are all > functioning as they should and then only happens to hosts on the local > zone. I initially thought that it was a DNS issue but everything checked > out fine there. Any more ideas what could be causing such intermittent > problems? >The above two paragraphs seem contradictory to me. You say that you have narrowed it down to a Shorewall problem but you provide absolutely no evidence to support that claim. Unless you are using rate-limiting rules, Shorewall configuration problems don''t produce intermittant symptoms; it either works or it doesn''t. How is your network physically cabled? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2004-07-16 at 12:39, Tom Eastep wrote:> > Almost has to be DNS or dropping Auth connection requests. But the > latter wouldn''t suddenly start working...I thought it was DNS as well, but looking through requests I see DNS resolving right away. The way the problem occurs is I telnet into the local interface (using the port 25) and the connection just hangs there once it finally goes through in mail proceeds as it should. If I do the same thing to any other address (my public IP or localhost) the connection goes right through.> The above two paragraphs seem contradictory to me. You say that you have > narrowed it down to a Shorewall problem but you provide absolutely no > evidence to support that claim. >The reason I think it is shorewall is it is the only thing left. Plus the problem does not show up on the net side of things. So shorewall is the only thing that can really be causing it (I think).> Unless you are using rate-limiting rules, Shorewall configuration > problems don''t produce intermittant symptoms; it either works or it doesn''t.It does not make sense that it would be intermittent so I agree with you on that. Our sever is pretty tight on Memory so during high loads is it possible that NAT rules maybe affected? CPU and other IO resources are hardly utilized. No rate limiting stuff.> > How is your network physically cabled? >The network looks like this: LAN cloud <--T1 Line--> router <---> hub <--> shorewall <---> Internet Yesterday I unplugged the router from the hub and connected my laptop directly to the hub. The problem still existed. Also kinda puts the heavy load theory to rest. Thanks for you help so far. -- _ /-\ ndrew andrew@pure-wireless.net http://www.pure-wireless.net
Andrew Niemantsverdriet wrote:> On Fri, 2004-07-16 at 12:39, Tom Eastep wrote: > >>Almost has to be DNS or dropping Auth connection requests. But the >>latter wouldn''t suddenly start working... > > I thought it was DNS as well, but looking through requests I see DNS > resolving right away. The way the problem occurs is I telnet into the > local interface (using the port 25) and the connection just hangs there > once it finally goes through in mail proceeds as it should. If I do the > same thing to any other address (my public IP or localhost) the > connection goes right through.Have you looked at the traffic with Ethereal as I suggested yesterday?> > >>The above two paragraphs seem contradictory to me. You say that you have >>narrowed it down to a Shorewall problem but you provide absolutely no >>evidence to support that claim. >> > > The reason I think it is shorewall is it is the only thing left.When you demonstrate that "shorewall clear" makes the problem go away and "shorewall start" makes it come back again, then I will believe that the problem is Shorewall related.> Plus > the problem does not show up on the net side of things. So shorewall is > the only thing that can really be causing it (I think). >The performance problem is associated with going through the hub and the computer connected between the internet and the hub. Shorewall configured iptables on the computer. Hence, it must be a Shorewall problem. Is that your reasoning? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> Plus >> the problem does not show up on the net side of things. So shorewall is >> the only thing that can really be causing it (I think). >> > > The performance problem is associated with going through the hub and the > computer connected between the internet and the hub. > > Shorewall configured iptables on the computer.Or more correctly, "Shorewall configured Netfilter..."> > Hence, it must be a Shorewall problem. > > Is that your reasoning?-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Andrew Niemantsverdriet wrote: > >> On Fri, 2004-07-16 at 12:39, Tom Eastep wrote: >> >>> Almost has to be DNS or dropping Auth connection requests. But the >>> latter wouldn''t suddenly start working... >> >> >> I thought it was DNS as well, but looking through requests I see DNS >> resolving right away. The way the problem occurs is I telnet into the >> local interface (using the port 25) and the connection just hangs there >> once it finally goes through in mail proceeds as it should. If I do the >> same thing to any other address (my public IP or localhost) the >> connection goes right through. > > > Have you looked at the traffic with Ethereal as I suggested yesterday? >The reason that I ask is because it is usually the *REVERSE* DNS lookup to get the client''s name that is the problem with slow connections, not the forward lookup to get the server''s IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net