florent at arcimex
Jul 24, 2001, 8:23 AM
I m sorry if this mails is a clone because a had problems with the mail server.
So, here is my problem :
During my FW tests, I noticed that a new connection through the firewall was a bit long to be established, an example :
A box pings through the firewall and waits for response,
The FW don't even see the connection beginning during ~5 sec,
The FW sees the connections FORWARD Table packets increasing,
The ping-box receives many pongs a a short time and then receives the others normally.
If I try to ping again a short time after everything's OK.
I saw this behaviour for a couple of protocoles (POP3, SMTP ..).
I seems to me that the conection tracking module takes too much time to register the connection and when it has done his work enables the packet flow.
But maybe, I'm wrong.
The problem is that my FW does SNAT and I can't live without connection tracking
Is this behaviour normal??
Have I missed something in the configuration??
Have anyone faced the same problem???
What can I do to decrease this latency??
My Firewall runs on a RH 7.0 box with kernel 2.4.6 and iptables v1.1.1
with 3 NICS for inet, local and dmz.
Every packet FORWARDING stuff works greatfully except for the latency.
Every response will be appreciated