Very Slow FTP

[truenegative]

Hello,

On our server, FTP is very very slow, when everything else is very fast. We're running Centos 4.2 x86_64 and APF...

Our APF config:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,2222"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,53,80,443,110,123,2222"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53,123"


Any ideas??

 

[nobaloney]

It's definitely not a firewall issue; your firewall settings aren't rate-limiting.

When we had the problem on a server several years old we discovered a mismatch between the settings on the switch and the settings for the NIC.

Jeff

 

[FransVanNispen]

It is a firewall issue.

The problem is there are two FTP modes: active and passive

Active uses the old plain port 21, which works fine with your above config. Switching your FTP client to active mode will result in a fast connection.

For passive mode to work behind the firewall, you need to choose a port range to allow this protocol, for example 60000 to 60019, add a line to /etc/proftpd.conf:

PassivePorts 60000 60019

Then restart the FTP server.

 

[Aspegic]

He said it was slow, not that it didn't work, so active/passive isn't the issue here.
The difference between active/passive is who decides what port to use for the data connection, the client or the server. But rergardless of how the connection is established, once it is, active or passive, it doesn't influence speed.


PS.

Active uses the old plain port 21

Both active and passive use port 21. It's the data port that makes the difference, not the command port.

 

[Guillermo]

Hey i have exactly the same problem, but i'm running running Centos 4.3 x86_64 and APF.
Downloadspeed is very fast, but the upload speed is terrible, with huge ups and downs.

 

[FransVanNispen]

I know. Believe it or not, this is the problem. I have had it, and fixed it this way on over 50 servers runnin CentOS with DA.

Passive FTP will work, but terrible slow if you do not do the above fix.

 

[Guillermo]

Frans, i just tried your "fix" but it doesn't work. I've added PassivePorts 60000 60019 to /etc/proftpd.conf.
Do i have to modify the apf conf too?

 

[FransVanNispen]

Yes, you have to open the TCP ports 60000 to 60019.

Though I only know how to do it on iptables, so I cannot tell you how to do that on your firewall.

 

[nobaloney]

When configured by either kiss or by apf, as described in these forums, iptables doesn't need the passive ports opened because it loads the ip_conntrack_ftp kernel module, so it will automatically open any passive port ftp needs, on demand.

That said it's readonable that Franz may configure his iptables to not automatically open the ports as required.

tarionyx hasn't responded to the thread again, so I don't know if it's still an issue or not, but if it appears to be an issue with apf, make sure that apf is loading the ip_conntrack_ftp kernel, as it should.

All that said, while I was write in what I wrote above, I perhaps wasn't clear enough; while the firewall settings aren't limiting by default, they of course can be; for example there's code in kiss that can be uncommented to limit traffice to avoid syn-flood attacks; that code is rate limiting. There may be similar code in apf, and somehow in tarionyx's case it may have somehow been activated.

Also, while command line ftp either fails or passes on passive ports (no pun intended), certain windowing clients may, if set to default to passive ftp, try first on passive, and then time out and try again with passive ftp turned off.

So while it's not quite as simple as presumed heretofore in this thread, default configurations should just work.

Jeff