Shorewall and ping latency

Discussion in 'Linux Networking' started by Jacob Bunk Nielsen, Nov 8, 2005.

  1. Hi

    I'm setting up a firewall based on Shorewall 2.2 from Debian stable
    (sarge). It seems to work just fine, but I have a weird thing
    happening when using ping and other ICMP traffic.

    The box is a 2.8 GHz with 1 GB of memory. It has 3 gigabit ethernet
    adapters, and I'm not loading it with a lot of traffic at this point.

    When shutting down Shorewall I have a ping latency at around 0.1 ms
    from my local network to the firewall, but as soon as I enable
    Shorewall the latency goes up to about 25-30 ms.

    However, if I traceroute through the firewall to some other host on
    the internet it replies quickly in less than 0.2 ms. To illustrate:

    $ ping -c 10 -q 10.0.0.8
    PING 10.0.0.8 (10.0.0.8): 56 data bytes

    --- 10.0.0.8 ping statistics ---
    10 packets transmitted, 10 packets received, 0% packet loss
    round-trip min/avg/max = 26.5/34.7/100.0 ms

    $ traceroute -I www.webpartner.dk
    traceroute to www.webpartner.dk (195.184.96.72), 30 hops max, 40 byte packets
    1 10.0.0.8 (10.0.0.8) 0.221 ms 0.186 ms 0.238 ms
    2 213.173.237.225 (213.173.237.225) 16.764 ms 14.519 ms 14.098 ms
    3 213.173.240.90 (213.173.240.90) 20.972 ms 24.657 ms 19.967 ms
    4 213.173.240.89 (213.173.240.89) 22.925 ms 34.553 ms 22.194 ms
    5 195.184.96.72 (195.184.96.72) 24.843 ms 9.660 ms 10.103 ms

    213.173.237.225 is my router to the internet, it's not the world's
    fastest router, but still faster than what what the above traceroute
    shows. If I ping it through another firewall I get:

    $ ping -c 10 -q 213.173.237.225
    PING 213.173.237.225 (213.173.237.225) 56(84) bytes of data.

    --- 213.173.237.225 ping statistics ---
    10 packets transmitted, 10 received, 0% packet loss, time 9012ms
    rtt min/avg/max/mdev = 1.300/1.832/4.290/0.903 ms

    I see the same pattern even if I cut the rules down to only permitting
    ping. Does anyone have a clue as to what's happening? I'm using a
    newly compiled 2.6.14 kernel, but saw the same behavior with an older
    2.6.8-2 kernel.
     
    Jacob Bunk Nielsen, Nov 8, 2005
    #1
    1. Advertisements

  2. I have now tried to disable Shorewall, but run the same iptables
    ruleset as Shorewall creates without starting the rest of Shorewall.
    This doesn't help, so it must be an iptables related problem that I
    have run into.

    I could still use a hint to resolve this issue.
     
    Jacob Bunk Nielsen, Nov 15, 2005
    #2
    1. Advertisements

  3. I resolved this issue, have a look at
    <http://sourceforge.net/mailarchive/message.php?msg_id=14195105> if
    you care to see what the solution was.
     
    Jacob Bunk Nielsen, Dec 16, 2005
    #3
  4. Jacob Bunk Nielsen

    Bit Twister Guest

    I would think I would setup 3.0 if it were me.
    http://www.shorewall.net/
     
    Bit Twister, Dec 16, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.