[zorp] Zorp slows down web page viewing?
Joseph Kim
zorp@lists.balabit.hu
Tue, 3 May 2005 11:08:57 -0700
Thank you for your reply.
"Slow" means the following:
For the same webpage, without Zorp, it takes about a second to display. But,
with Zorp, it takes about 20 seconds to display. I understand that Zorp
would some latency, but not to this extent.
So I thought there should be something wrong.
Configuration is like the following:
(1) Zorp machine is configured as a bridge mode with a bridge (br0) IP
address 192.168.11.101. Currently, both eth2 and eth3 are added to the
bridge. And Zorp is running.
(2) Client notebook's IP address is 192.168.11.13, and is connected to eth2
of the Zorp machine.
(3) Eth3 of Zorp machine is connected to our Internet Gateway Router (IP
address 192.168.11.1) through which it can go to the internet.
The file instances.conf includes the following line:
zorp --verbose=10 --policy /usr/local/etc/zorp/policy.py --autobind-ip
1.2.3.4
And the file policy.py includes the following lines:
===============================================================================
from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *
from Zorp.Ftp import *
Zorp.firewall_name = 'zorp@MC1'
InetZone("all", "0.0.0.0/0", inbound_services=['*'],
outbound_services=['*'])
#
# The name of this function is passed to the Zorp binary with the --as
# command line option.
#
class IntraFtp(FtpProxy):
def config(self):
FtpProxy.config(self)
self.transparent_mode = TRUE
self.data_mode = FTP_DATA_PASSIVE
class IntraHttp(HttpProxy):
def config(self):
HttpProxy.config(self)
self.transparent_mode = TRUE
def zorp():
Service('ftp', FtpProxy, router=TransparentRouter(forge_addr=TRUE))
Service('http', IntraHttp,
router=TransparentRouter(forge_addr=TRUE))
Service('https', PlugProxy,
router=TransparentRouter(forge_addr=TRUE))
Listener(SockAddrInet("0.0.0.0", 50021), "ftp")
Listener(SockAddrInet("0.0.0.0", 50080), "http")
Listener(SockAddrInet("0.0.0.0", 50443), "https")
===============================================================================
And I do the following to run zorp:
iptables -F
iptables -A INPUT -m tproxy -j ACCEPT
iptables -t tproxy -A PREROUTING -p tcp --dport 21 -j TPROXY --on-port 50021
iptables -t tproxy -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 50080
iptables -t tproxy -A PREROUTING -p tcp --dport 443 -j TPROXY --on-port
50443
#dummy interface
ifconfig dummy0 1.2.3.4
#zorp
sleep1
zorpctl start
Look forward to hearing your comments.
Joseph
----- Original Message -----
From: "Balazs Scheidler" <bazsi@balabit.hu>
To: <zorp@lists.balabit.hu>
Sent: Tuesday, May 03, 2005 5:20 AM
Subject: Re: [zorp] Zorp slows down web page viewing?
> On Mon, 2005-05-02 at 11:29 -0700, Joseph Kim wrote:
>> Hi,
>>
>> I installed Zorp and other necessary modules on Linux 2.4.27. The
>> software I installed is as follows:
>>
>> linux-2.4.27.tar.gz
>> zorp_2.0.9.tar.gz
>> libzorpll_2.0.26.24.tar.gz
>> cttproxy-2.4.27-1.2.1.tar.gz
>> iptables-1.2.7a.tar
>> bridge-utils-1.0.4.tar
>>
>> I connected a client pc to one ethernet interface, and the other
>> interface to the internet gateway router.
>> And from the client pc, I'm able to view the web pages through the
>> linux machine that has Zorp installed.
>> But, for some reason it is very slow. I compared the speed between the
>> pure bridge mode and Zorp. And, it appears that going through Zorp is
>> almost 10 times slower than with pure bridge mode.
>>
>> Did I install wrong? Wrong version? Or, have I configured Zorp wrong?
>> I would appreciate any help.
>
> What do you mean slow? Zorp surely adds some latency but for a single PC
> this change should not be noticable.
>
> It is possible that there are some problems with PMTU, ECN or MSS. Those
> might cause connection hangups. Can you post your configuration?
>
> --
> Bazsi
>
> _______________________________________________
> zorp mailing list
> zorp@lists.balabit.hu
> http://lists.balabit.hu/mailman/listinfo/zorp