On Wed, 2004-08-25 at 14:49, Jason Opperisano wrote: > > Here the logfile generated by tcpdump on my firewall when I ... > > > > ftp 192.168.125.1 (from 192.168.124.1) > > > > 14:31:19.818595 IP 192.168.124.1.32790 > 192.168.125.1.ftp: S > > 2452334504:2452334504(0) win 5840 <mss 1460,sackOK,timestamp > > 10914109[|tcp]> > > SYN > > > 14:31:19.819085 IP 192.168.125.1.ftp > 192.168.124.1.32790: S > > 2932060858:2932060858(0) ack 2452334505 win 5792 <mss > > 1460,sackOK,timestamp 1164327[|tcp]> > > SYN-ACK > > > 14:31:19.819448 IP 192.168.124.1.32790 > 192.168.125.1.ftp: . ack 1 win > > 5840 <nop,nop,timestamp 10914109 1164327> > > ACK > > > 14:31:29.830558 IP 192.168.125.1.ftp > 192.168.124.1.32790: P 1:66(65) > > ack 1 win 5792 <nop,nop,timestamp 1165329 10914109> > > 10 second delay... either that FTP is sending packets elsewhere that aren't getting captured, or has some problem/configuration that keeps it from responding any faster than that. > > can you perform the tcpdump on the FTP server itself? Here you are ... tcpdump.firewall.log 15:59:24.071217 IP 192.168.124.1.32796 > 192.168.125.1.ftp: S 3496999441:3496999441(0) win 5840 <mss 1460,sackOK,timestamp 16200055[|tcp]> 15:59:24.072144 arp who-has 192.168.124.1 tell pix1 15:59:24.072464 arp reply 192.168.124.1 is-at 00:50:ba:e2:a9:ed 15:59:24.072499 IP 192.168.125.1.ftp > 192.168.124.1.32796: S 4161421847:4161421847(0) ack 3496999442 win 5792 <mss 1460,sackOK,timestamp 1692753[|tcp]> 15:59:24.072847 IP 192.168.124.1.32796 > 192.168.125.1.ftp: . ack 1 win 5840 <nop,nop,timestamp 16200057 1692753> 15:59:34.085569 IP 192.168.125.1.ftp > 192.168.124.1.32796: P 1:66(65) ack 1 win 5792 <nop,nop,timestamp 1693755 16200057> 15:59:34.085984 IP 192.168.124.1.32796 > 192.168.125.1.ftp: . ack 66 win 5840 <nop,nop,timestamp 16210073 1693755> tcpdump.ftp.log 15:52:48.574738 192.168.124.1.32796 > iptables.ftp: S 3496999441:3496999441(0) win 5840 <mss 1460,sackOK,timestamp 16200055 0,nop,wscale 0> 15:52:48.574908 arp who-has 192.168.125.240 tell iptables 15:52:48.575204 arp reply 192.168.125.240 is-at 0:30:4f:5:74:39 15:52:48.575226 iptables.ftp > 192.168.124.1.32796: S 4161421847:4161421847(0) ack 3496999442 win 5792 <mss 1460,sackOK,timestamp 1692753 16200055,nop,wscale 0> (DF) 15:52:48.576318 192.168.124.1.32796 > iptables.ftp: . ack 1 win 5840 <nop,nop,timestamp 16200057 1692753> 15:52:48.597025 iptables.33254 > 192.168.124.1.auth: S 4154447273:4154447273(0) win 5840 <mss 1460,sackOK,timestamp 1692755 0,nop,wscale 0> (DF) 15:52:51.587881 iptables.33254 > 192.168.124.1.auth: S 4154447273:4154447273(0) win 5840 <mss 1460,sackOK,timestamp 1693055 0,nop,wscale 0> (DF) 15:52:53.575270 arp who-has iptables tell 192.168.125.240 15:52:53.575318 arp reply iptables is-at 0:50:22:0:3:46 15:52:57.587870 iptables.33254 > 192.168.124.1.auth: S 4154447273:4154447273(0) win 5840 <mss 1460,sackOK,timestamp 1693655 0,nop,wscale 0> (DF) 15:52:58.588596 iptables.ftp > 192.168.124.1.32796: P 1:66(65) ack 1 win 5792 <nop,nop,timestamp 1693755 16200057> (DF) 15:52:58.589458 192.168.124.1.32796 > iptables.ftp: . ack 66 win 5840 <nop,nop,timestamp 16210073 1693755> [tos 0x10] > > > 14:31:29.830970 IP 192.168.124.1.32790 > 192.168.125.1.ftp: . ack 66 win > > 5840 <nop,nop,timestamp 10924124 1165329> > > > > Furthermore, as you suggested it I added in my proftpd server > > configuration > > > > UseReverseDNS off > > > > ... But this does not change anything. > > you *did* restart the daemon after that, right? ;-) yes sure :) > > -j I am back :)
