[lug] ipchains -L hangs

D. Stimits stimits at idcomm.com
Wed Dec 13 02:51:02 MST 2000


Deva Samartha wrote:
> 
> >My ppp0 input chain listed 86 rules in about 6 seconds. They displayed
> >in chunks, with pauses between chunks. I believe it is possible the
> >pauses were caused by attempting name lookup of a numeric ip that took a
> >brief moment. Possibly it is slowed when doing that?
> 
> I checked it and - see there - every line in ipchains -L  does a bunch of
> DNS requests to the USwest DNS server which does not make much sense at
> all! I am not very familiar with the tcpdump format below but it looks as
> if it tries to do a reverse address lookup for the 192.168.9.0?
> 
> 20:31:46.510946 me.mydom.com.1049 > ns2.dnvr.uswest.net.domain: 36691+ PTR?
> 0.9.168.192.in-addr.arpa. (42)
> 20:31:46.532356 ns2.dnvr.uswest.net.domain > me.mydom.com.1049: 36691
> NXDomain* 0/1/0 (124)
> 
> Same happens when going from the firewall (where the chain resides ) with
> browser to httpd in DMZ with local IP - it hangs too with varying times
> doing DNS lookups on local IP's.
> 
> I tried putting names and network addresses in /etc/networks  and rebooted
> - no change of behavior.
> 
> /etc/nsswitch has:
> 
> networks:       files dns
> 
> Any suggestions of what to do in order to talk the programs into dropping
> their DNS weirdness?
> 

As long as it is looking up names, it will slow down. If a name lookup
requires extra time for a timeout, then it'll take a LOT longer. The
option "-n" tells it to use only numeric output. If you use that, all
ip's will be dotted-decimal format, and it'll run fast (no name lookups
required).

D. Stimits, stimits at idcomm.com




More information about the LUG mailing list