Shorewall users - Jun 2007 - network disconnections

Hello,

Our users who are using SSH to connect to external servers are experiencing
dropouts, their sessions are dropping when they are connected for long periods
of time. Are there some settings in Shorewall that might affect the duration of
open connections? This also occurs to users who are using SSH over VPN (VPN 
traffic passes through Shorewall to a Cisco PIX connected to the LAN), but the
VPN connection does not drop when this happens.

Thanks,

Joel

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Please post in plain text rather than HTML. Your paragraphs become one long
line which is a PITA when quoting within a reply.

onephatcat@earthlink.net wrote:
> Our users who are using SSH to connect to external servers
> are experiencing dropouts, their sessions are dropping when
> they are connected for long periods of time. Are there some
> settings in Shorewall that might affect the duration of open
> connections?
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Sorry about that. Earthlink webmail. 

It is set to plain text, but I had "view as html" turned on, off now,
hope that fixes it, although I don''t see why "view as" would
affect sending if sending is set to plain text...

Any ideas about the problem I posted?

Thanks,

Joel
-----Original Message-----
>From: Tom Eastep <teastep@shorewall.net>
>Sent: Jun 7, 2007 11:53 AM
>To: onephatcat@earthlink.net, Shorewall Users
<shorewall-users@lists.sourceforge.net>
>Subject: Re: [Shorewall-users] network disconnections
>
>Please post in plain text rather than HTML. Your paragraphs become one long
>line which is a PITA when quoting within a reply.
>
>onephatcat@earthlink.net wrote:
>
>> Our users who are using SSH to connect to external servers
>> are experiencing dropouts, their sessions are dropping when
>> they are connected for long periods of time. Are there some
>> settings in Shorewall that might affect the duration of open
>> connections?
>
>No.
>
>-Tom
>-- 
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

onephatcat@earthlink.net wrote:
>Our users who are using SSH to connect to external servers are 
>experiencing dropouts, their sessions are dropping when they are 
>connected for long periods of time.
Is this while they are working, or when the connection is idle for 
longer periods ?

If it''s the latter then I can shed some light on why it happens ...

Ideally, a firewall (or NAT gateway which I assume is also 
configured) will simply open a connection when the first packet is 
handled and keep track of it until it sees it closed by the relevant 
packets. However, connections often do not get closed properly for a 
number of reasons, and so there are always timeouts so that a 
connection can be forgotten about if no packets are seen for a 
certain time - and the timeout varies between vendors/implementations.

I assume that Linux (and other good configurable systems) probably 
have somewhere where this can be configured - hopefully someone more 
familiar with the deep technical bits can shed light on this. How I 
fixed it for me when we changed the firewall at work and timeouts 
became ''a bit annoying'' was to add :

   -o ServerAliveCountMax=30 -o ServerAliveInterval=20

to my ssh connection script. These values are probably a bit OTT, but 
they have two effects. Firstly, it causes a packet exchange every 20 
seconds which keeps the connection alive as far as the firewall is 
concerned. Secondly, it causes the ssh client to disconnect if the 
link is lost (like today when I''ve been disconnected a fair bit to 
diagnose problems on a customers network) rather than sit there until 
you try and use it when it ''hangs'' for a while before giving
up.


See man ssh_config for more details. The values I''ve used send a 
server alive message every 20 seconds, and allow up to 30 (ie 10 
minutes) to be missed before the connection is dropped.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Joel Braverman wrote:
> Sorry about that. Earthlink webmail. 
> 
> It is set to plain text, but I had "view as html" turned on,
> off now, hope that fixes it, although I don''t see why "view
as"
> would affect sending if sending is set to plain text...
> 
Made no difference, I''m afraid.
> Any ideas about the problem I posted?
Not unless your distribution has decided to change the default TCP
conntrack timeout:

root@tipper:~# cat
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
432000
root@tipper:~#

That''s 5 days which should be high enough.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thursday 07 June 2007 11:18, Tom Eastep wrote:
> Joel Braverman wrote:
> > Sorry about that. Earthlink webmail.
> >
> > It is set to plain text, but I had "view as html" turned on,
> > off now, hope that fixes it, although I don''t see why
"view as"
> > would affect sending if sending is set to plain text...
>
> Made no difference, I''m afraid.
FYI, neither the original message nor the reply was HTML, but his mail client 
(Earthlink web mail) was not word wrapping.  I didn''t really notice
because
KMail (usually) wraps at the screen border.  But yes, it does appear 
Earthlink web mail is non-compliant.

j

-- 
Joshua Kugler                           
Lead System Admin -- Senior Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0xDB26D7CE
PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Joshua J. Kugler wrote:
> On Thursday 07 June 2007 11:18, Tom Eastep wrote:
>> Joel Braverman wrote:
>>> Sorry about that. Earthlink webmail.
>>>
>>> It is set to plain text, but I had "view as html" turned
on,
>>> off now, hope that fixes it, although I don''t see why
"view as"
>>> would affect sending if sending is set to plain text...
>> Made no difference, I''m afraid.
> 
> FYI, neither the original message nor the reply was HTML, but his mail
client
> (Earthlink web mail) was not word wrapping. I didn''t really notice
because
> KMail (usually) wraps at the screen border.  But yes, it does appear 
> Earthlink web mail is non-compliant.
You''re correct -- the current list server passes HTML mail ''as
is''; when I
ran a list server here locally, I configured Mailman to translate HTML->text
which resulted in an absence of word-wrap. So when I see that problem, I
still think ''HTML''. That was obviously not the case here.

My mailer (Thunderbird) also wraps at the window border, except when replying.

Joel -- there may be an option to word-wrap in your Earthlink client.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning,

Quick point - have you examined the idle time out options in ssh?

ssh from ssh.com has both client and server-side idle time out options 
(idle-timeout or IdleTimeOut) and there was a patch floating around to 
add this functionality to OpenSSH a while back (see: 
http://lists.debian.org/debian-ssh/2002/04/msg00010.html and 
http://lists.debian.org/debian-ssh/2002/04/msg00013.html).

Patrick



Tom Eastep wrote:
> Joel Braverman wrote:
>   
>> Sorry about that. Earthlink webmail. 
>>
>> It is set to plain text, but I had "view as html" turned on,
>> off now, hope that fixes it, although I don't see why "view
as"
>> would affect sending if sending is set to plain text...
>>
>>     
>
> Made no difference, I'm afraid.
>
>   
>> Any ideas about the problem I posted?
>>     
>
> Not unless your distribution has decided to change the default TCP
> conntrack timeout:
>
> root@tipper:~# cat
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
> 432000
> root@tipper:~#
>
> That's 5 days which should be high enough.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
PP, X-216  Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
Téléavertisseur: (514) 480-3957,
   mcneilp@paget.dgtic.umontreal.ca


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users