Re: Getting a quick "connection refused"

MONSOONCAT · ‎2012-04-27

A TCP connection towards an arbitrary high port number (>=1024) on the Netapp seems to return "connection refused" instantly.

By contrast, a connection towards a low port number waits for several minutes, then something times out. I imagine this is related to assisting security etc.

As part of our transition from our previous non-NetApp fileserver, it would be very useful if we could persuade the NetApp to return a quick "connection refused" on a particular low port number. But we cannot see a way to adjust this behaviour (either for a particular low port or for all low ports). Is this possible? If so, could you point us to the relevant documentation, please?

aborzenkov · ‎2012-04-27

This is the first time ever I hear about such behavior. Would be interesting to see

- netstat -an from filer

- network trace for connection to port that is definitely not in LISTEN state in above output; you could generate it on NetApp using pktt tool.

Yes, I confirm it (tested on 8.0.2P4). Interesting. There is undocumented option ip.tcp.limit_rsts which sounds like it could be related; but I suggest you open case with NetApp and update this thread if you get this resolved.

Message was edited by: aborzenkov

MONSOONCAT · ‎2012-04-27

Thanks. We, too, checked it on our NetApp and also on a simulator before I posted my request.

In our context this request is both "low priority" and "now", affecting an external application. If such a control mechanism were available now within the NetApp, this would be the cleanest overall way to handle it. But if it is not available, then we have sketched out a 'not quite as clean' work-around at the application end. (So although the priority of the issue in our overall service-provision is rising as we migrate to the NetApp, our potential work-around will drop the priority of needing to address it within the NetApp.)

So although it is affecting our application, I probably won't raise it with NetApp. (Anyway, the NetApp here is run by a different group; I'll suggest to them that they consider raising the issue, but I suspect the application-level workaround means we won't.)

Meanwhile, if anyone happens to know an option or mechanism in the NetApp that would allow a low port number to return "connection refused", then we'd be pleased to hear about it.

aborzenkov · ‎2012-05-02

After some research - in 8.x ports below 1024 are blocked by explicit firewall rule in low level FreeBSD. These rules are part of read-only root image, so there is no way to change them. Looks like deliberate decision; so the only way to change it (at least, to make it configurable) is to raise issue with NetApp.