slow access to my web server using ipchains

slow access to my web server using ipchains

Post by Peter Michael Jense » Thu, 17 Oct 2002 01:08:49



Hi

I am using a web server on an intranet and want to close all unnecessary
ports. When I use a general policy for my OUTPUT chain like Reject or Deny
- the access time to my webserver is very long. I have only allowed tcp on
port 80 - what am I missing?

All help is more than welcome
Peter

 
 
 

slow access to my web server using ipchains

Post by Sundial Service » Thu, 17 Oct 2002 01:28:53



> Hi

> I am using a web server on an intranet and want to close all unnecessary
> ports. When I use a general policy for my OUTPUT chain like Reject or Deny
> - the access time to my webserver is very long. I have only allowed tcp on
> port 80 - what am I missing?

> All help is more than welcome
> Peter

You need to describe more about your server configuration; for example, does
it have one network card or two?

ipchains uses kernel tables and is instantaneous ... I do not believe that
you can attribute slow performance to this.  

But it's possible that something else, such as routing, is causing the
packets to be sent tither and yon.  "tcpdump" can be a good tool for
starting to diagnose such problems, as can "traceroute."

 
 
 

slow access to my web server using ipchains

Post by John Murtar » Thu, 17 Oct 2002 01:57:55



Quote:> I am using a web server on an intranet and want to close all unnecessary
> ports. When I use a general policy for my OUTPUT chain like Reject or Deny
> - the access time to my webserver is very long. I have only allowed tcp on
> port 80 - what am I missing?

One thing to check is to make sure you have DNS lookups turned off on
your web server, i.e. your log files just contain the ip numbers of machines
making requests, not their names.  If lookups are on, it will attempt to do
DNS lookups and those may be blocked by your setup, causing them to timeout
and slow down the whole show.

--
                                          John
___________________________________________________________________
John Murtari                              Software Workshop Inc.

http://www.thebook.com/

 
 
 

slow access to my web server using ipchains

Post by WarpKa » Thu, 17 Oct 2002 03:56:53



> Hi

> I am using a web server on an intranet and want to close all unnecessary
> ports. When I use a general policy for my OUTPUT chain like Reject or Deny
> - the access time to my webserver is very long. I have only allowed tcp on
> port 80 - what am I missing?

> All help is more than welcome
> Peter

Turn off unnecessary services.  LPD, DNS, Samba, X, CUPS, Telnet (SSH is
preferred), Finger, etc.

This will null the ports and make them unavailable.  There's no reason to
use a firewall to close off those ports if nothing is listening on them.

 
 
 

slow access to my web server using ipchains

Post by Duncan Thomso » Thu, 17 Oct 2002 05:17:28




> > I am using a web server on an intranet and want to close all unnecessary
> > ports. When I use a general policy for my OUTPUT chain like Reject or Deny
> > - the access time to my webserver is very long. I have only allowed tcp on
> > port 80 - what am I missing?

> One thing to check is to make sure you have DNS lookups turned off on
> your web server, i.e. your log files just contain the ip numbers of machines
> making requests, not their names.  If lookups are on, it will attempt to do
> DNS lookups and those may be blocked by your setup, causing them to timeout
> and slow down the whole show.

Ten to one odds that's it.  Whenever you have long delays in accessing
services, the first thing to check is whether something is timing out
on DNS.
 
 
 

slow access to my web server using ipchains

Post by Ange » Thu, 17 Oct 2002 07:12:15



> Turn off unnecessary services.  LPD, DNS, Samba, X, CUPS, Telnet (SSH is
> preferred), Finger, etc.

> This will null the ports and make them unavailable.  There's no reason to
> use a firewall to close off those ports if nothing is listening on them.

My own personal choice is to block all ports via a firewall no matter if
there's a service running behind them or not.  Excluding of course those
services I want open.

My reasoning behind that is that it's easier to administer when you have
a default of deny all with just a few 'holes' explicitely permitted.
Also if some clever sole does manage to get access via one of the my
services I do choose to have open then they would not be able to start
up things like telnet, ssh, etc in order to increase their level of access.

angel

 
 
 

slow access to my web server using ipchains

Post by Peter Michael Jense » Thu, 17 Oct 2002 07:56:09


Hi

I have only one network card installed. I have installed RH7.3
The general ipchains-policy reject both on input and output. Port 80 is
opened for both input and output.

The problem is that the above makes the access-time very long. When I change
the general output policy the speed is ok.

Regards
Peter



>> Hi

>> I am using a web server on an intranet and want to close all unnecessary
>> ports. When I use a general policy for my OUTPUT chain like Reject or
>> Deny - the access time to my webserver is very long. I have only allowed
>> tcp on port 80 - what am I missing?

>> All help is more than welcome
>> Peter

> You need to describe more about your server configuration; for example,
> does it have one network card or two?

> ipchains uses kernel tables and is instantaneous ... I do not believe that
> you can attribute slow performance to this.

> But it's possible that something else, such as routing, is causing the
> packets to be sent tither and yon.  "tcpdump" can be a good tool for
> starting to diagnose such problems, as can "traceroute."

 
 
 

1. Slow SMTP server access using IPCHAINS

When I try sending an email message from my Windows box through my Linux
box running IPCHAINS its really slow.  Its only slow using when sending
email though to my ISPs SMTP mail server.  Everything else is really
fast.  I am running Redhat 6.2 and its been like this for a while.  I
even tried reinstalling Redhat 6.2 but it didn't help.  Any ideas?

--

Dan Amborn

Yoda of Borg are we: Futile is resistance. Assimilate you, we will.

2. > 1 gig drive woes

3. DENY in ipchain causes slow SMTP server access due to identd process ??

4. how to reduce file-system cache size

5. fist access to apache web server slow

6. reducing stack usage in v4l?

7. Help needed MASQing a web server using ipchains-firewall

8. Repost: Can I use a Plus HardCard IIXL 105 as 3rd drive?

9. pl/sql cusror state using Oracle web agent, web server & database server

10. Slow access to virtual servers using Apache 1.0 and vif.c

11. Slow when using proxy compared to directly accessing the server

12. Can only access web server using IP number not host name...why?

13. Allowing only access to my web site from a link to another web using APACHE