Re: IP masquerading - connections persist too long

To: debian-devel@lists.debian.org
Subject: Re: IP masquerading - connections persist too long
From: Paul Slootman <paul@wau.mis.ah.nl>
Date: Thu, 3 Feb 2000 17:53:26 +0100
Message-id: <20000203175326.A4925@wau.mis.ah.nl>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <200002031528.PAA19881@linda.lfix.co.uk>; from olly@lfix.co.uk on Thu, Feb 03, 2000 at 03:28:45PM +0000
References: <200002031528.PAA19881@linda.lfix.co.uk>

On Thu 03 Feb 2000, Oliver Elphick wrote:

> I have recently switched my ISDN card to a firewall machine, running
> kernel 2.2.13 and slink.

I hope you're running isdnutils 3.0-12slink14 ? It's in
slink-proposed-updates. There's at least a Y2K buglet in
isdnlog (not that that has anything to do with your problem).

> I am now finding that connections remain open for up to 10 minutes.
> I think that the masquerading part of the kernel has opened them in
> order to fulfil connection requests, but is not closing them when
> the original program closes the connection to the firewall.  As a
> result, I am incurring unnecessary call charges.
> 
> Does anyone know of a way to force the masqueraded connection to shut
> down at the same time as the original one?

I doubt that the masqueraded connections are the cause of your troubles.
I often have the same setup as you mention, and even with the
masqueraded connection still alive (but not active in the sense of
traffic flowing), the huptimeout hangup takes place. As soon as data has
to transferred, the autodial connects again and the IP connection
continues as if nothing's happened.

However, if you're suffering from dynamic IP addresses from wherever
you connect to, then beware! If not, ignore the rest of this message.

If the line hangs up (timeout for example) while an IP connection still
exists, the next time you make a connection, you get a new IP address,
and then you can send out packets for the old IP connection, but you
never get an answer because the answers go to the _old_ IP address.
Hence retries, etc.

Same thing when the line has hung up and the (masqueraded) client closes
the connection. The termination packet (I forget the official TCP name
for it) goes out, triggering a dialout, and then it waits for an ACK.
That doesn't happen, retransmit, wait (exponential backoff), retransmit,
goto begin of loop until max. retries.

You can set how long it takes before an inactive masqueraded connection
stops being masqueraded; you have to echo something into /proc/net/*,
but I can't find what at the moment...

You _do_ have "echo 1 > /proc/sys/net/ipv4/ip_dynaddr" activated in your
device.ippp0 script?

Paul Slootman
-- 
home:       paul@wurtel.demon.nl http://www.wurtel.demon.nl/
work:       paul@murphy.nl       http://www.murphy.nl/
debian:     paul@debian.org      http://www.debian.org/
isdn4linux: paul@isdn4linux.de   http://www.isdn4linux.de/

Reply to:

Follow-Ups:
- Re: IP masquerading - connections persist too long
  - From: "Oliver Elphick" <olly@lfix.co.uk>

References:
- IP masquerading - connections persist too long
  - From: "Oliver Elphick" <olly@lfix.co.uk>

Prev by Date: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by Date: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]
Previous by thread: IP masquerading - connections persist too long
Next by thread: Re: IP masquerading - connections persist too long
Index(es):
- Date
- Thread