Fcc: outbox
----------------------------------------------------------------------------
mfrost @
mercury .
horizsys .
com (Mark Frost) writes:
> On Nov 20, 10:55am, "Bob Bracalente -- MRJ" wrote:
> > Subject: Long delays for telnet & ftp connects to firewall hosts
> > We have a few hosts in our firewall that are publically accessible for teln
> et.
> > The services work fine, except that when users connect to them, they alway
> s
> > experience about a one minute delay after receiving the "connected to..."
> > message from either application. This delay doesn't show up if both machin
> es
> > are in the DMZ, it only happens to connnects originating on the outside.
> >
> > Does anyone know what telnet and ftp are trying to do after issuing the
> > "connected to..." message? Some kind of reverse look up? Is this a DNS
> > related problem?
> >
> > Thanks,
> >
> > Bob
> >
> >-- End of excerpt from "Bob Bracalente -- MRJ"
>
> Every UNIX platform I've ever worked on exhibits this behavior when the remot
> e
> end of the telnet/ftp connection (i.e. the end you're trying to connect to)
> can't figure out what your IP address is. That is to say, reverse address
> lookups are failing in DNS. This is the result of a getpeername() call
> in the telnetd/ftpd. After about one minute, the daemon times out and just
> assumes you are coming from that IP address.
>
> Get your machine to resolve your IP addresses back to hostnames and your
> problem should go away.
>
> -mark frost
> horizon systems inc
There may be two versions of this reply floating around as the first
was accidentally addressed to the wrong firewalls alias. Sorry.
As to the problem, there may be another explanation as well. Any host
that you make a tcp connection to is entitled to make a reverse
authentification query to your machine to verify the user and host
that are using the specified ports. The authentification is weak but
it can be better than nothing.
The reverse query is performed at port 113. Some firewalls block this
port (by returning a host unreachable) which could lead to quicker
response than waiting for the host to either return some information or
possibly timeout as many systems do not support this.
The daemon which does the listening is called a variety of names,
ie identd, authd, etc
When you telnet into a system, and receive the `Connected to ` message,
this usually means your DNS lookup has succeeded and some form of
authentification may be in progress.
See RFCs 931 & 1413 for more info.
regards,
--
Ed Osterman eo @
mda .
ca
I guess sometimes there just aren't enough stones to throw.
-Forest Gump
Follow-Ups:
References:
|
|
