Firewall blocking updates.. very slow speeds

bluedalek · September 3, 2013, 12:22am

Hello everyone

I recently added a Sophos UTM to my home network, and so far it’s been really easy to setup and use.

The problem I am having right now however is when trying to do updates, they are very, very slow. I’ve also noticed that while I am trying to do updates, there are many connection attempts from outside to my desktop.

Being fairly new to Suse Linux, I did what I had done for my the Ubuntu systems I have on my network, and that was to allow them full access to the internet. Outbound that is. When doing the same for the Suse box, it is now able to connect to the repos, but it is incredibly slow.

Do the Suse repos make some form of connection back to the requesting system, or should it act more like Ubuntu… makes the request and downloads the files.

Is there anyway to get the IP’s for the Suse repo’s so I can check them against my firewall log and create a rule if needed? Here is a snippet of the firewall log while I was attempting to do updates:


||                         [TABLE]
|---|
                                                              [TR]
                                     [TD]Filter:||


                     [/TD]
                     [TD="align: right"][/TD]
                     [TD]Autoscroll[/TD]
                     [TD]Reload
[/TD]
                 [/TR]
                      [/TABLE]
          |18:23:23|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]129.97.134.71|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|34157|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:25|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]195.135.221.134|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|41212|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:25|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]129.97.134.71|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|34157|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:26|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]195.135.221.134|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|41212|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:26|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]129.97.134.71|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|34157|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:29|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]195.135.221.134|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|41212|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:29|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]129.97.134.71|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|34157|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:36|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]195.135.221.134|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|41212|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:36|Default DROP|ICMP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]192.168.100.2| | |


[/TD]
 [TD]→[/TD]
 [TD]|192.168.100.1| | |
|---|---|---|


[/TD]
 [TD]|len=60|ttl=255|tos=0x00|srcmac=6c:33:a9:33:b7:25|dstmac=f8:1a:67:1:cf:59|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:37|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]129.97.134.71|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|34157|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:49|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]195.135.221.134|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|41212|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:49|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]


|18:23:51|Default DROP|TCP|[TABLE]
|---|---|---|
[TR]
[TD="align: right"]129.97.134.71|:|80|


[/TD]
 [TD]→[/TD]
 [TD]|192.168.1.108|:|34157|
|---|---|---|


[/TD]
 [TD]|[RST]|len=40|ttl=64|tos=0x00|srcmac=94:de:80:6e:5b:4|
|---|---|---|---|---|


[/TD]
[/TR]
[/TABLE]

Thanks in advance!

robin_listas · September 3, 2013, 2:43am

On 2013-09-03 00:26, bluedalek wrote:
>
> Hello everyone
>
> I recently added a Sophos UTM to my home network, and so far it’s been
> really easy to setup and use.

Sorry, I’m not familiar with that. What is it?

> Do the Suse repos make some form of connection back to the requesting
> system, or should it act more like Ubuntu… makes the request and
> downloads the files.

It is a plain http connection, like a web browser. Sometimes it can be a
plain ftp connection (depends on the mirror), in which case there is a
control connection and a data connection. Depending on ftp being passive
or active mode, the data connection goes from server to client.

Both should be transparent to most firewalls.

> Is there anyway to get the IP’s for the Suse repo’s so I can check them
> against my firewall log and create a rule if needed? Here is a snippet
> of the firewall log while I was attempting to do updates:

Very difficult, as the list is dynamic.

The download.opensuse.org address is in fact a redirector which gives
you back the name of one of perhaps a hundred servers across the world.

>
>
> Code:
> --------------------
>
>
>
>
>
>
> Filter:
>
>
>
>
>
> Autoscroll
> Reload
>
>
>
>
>
> 18:23:23
> Default DROP
> TCP
>
>
> 129.97.134.71
> :
> 80
>
>
>
> →
>
>
> 192.168.1.108
> :
> 34157
>
>
>
>

>
> --------------------

Something happened, this is almost unreadable.
What is it supposed to be? :-?

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

bluedalek · September 3, 2013, 4:34am

>> Sorry, I’m not familiar with that. What is it?

See here:
Free Firewall for Home Users | UTM Firewall Home Edition | Sophos

>> It is a plain http connection, like a web browser. Sometimes it can be a
>> plain ftp connection (depends on the mirror), in which case there is a
>> control connection and a data connection. Depending on ftp being passive
>> or active mode, the data connection goes from server to client.

>> Both should be transparent to most firewalls.

Odd… I’ll do an update and see if I can grab a screen shot instead, as it appears that the code I tried to use did not work