Slow SSH authentication with ipfw
Brent Wiese
brently at bjwcs.com
Mon Sep 8 16:32:46 PDT 2003
In my experience, this is almost always a DNS resolving issue. You have the
rule for DNS though...
Do you have an internal DNS resolver you could set in your resolv.conf? Take
the firewall out of the picture?
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Lay Tay
> Sent: Monday, September 08, 2003 3:50 PM
> To: freebsd-questions at FreeBSD.ORG
>
>
>
>
>
> Hello,
>
> I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine
> (Pentium III 850 with 256MB RAM) as a firewall/router. I
> then have another
> similar machine setup internally with SSH service started
> (OpenSSH on a
> SuSE 8.1 Linux).
>
> Everything worked fine except that I noticed ssh connection
> takes a very
> long time. When I use PUTTY or WinSCP on a windows machine
> to connect to
> my internal machine, the authentication takes a very long
> time. WinSCP
> will alway timeout on the first try, when I hit "retry", the
> authentication goes through.
>
> This does not happen if I insert a "pass everything" rule in ipfw.
>
> I suspect my firewall rules has something to do with it. Can
> someone check
> and see if I'm doing something wrong? Thanks.
>
> Here's extract from my rc.firewall:
>
> internalip="xxx.xxx.xxx.xxx"
> externalip="xxx.xxx.xxx.xxx"
>
> # Stateful packet inspection
> ${fwcmd} add check-state
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow incoming HTTP request
> ${fwcmd} add pass tcp from any to ${internalip} 8080 setup
> ${fwcmd} add pass tcp from any to ${externalip} 80 setup
>
> # Allow incoming SSH connection
> ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state
>
> # Allow incoming FTP connections - Active Connection only
> ${fwcmd} add pass tcp from any to ${internalip} 21
> ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535
>
> # Allow setup of incoming email
> ${fwcmd} add pass tcp from any to ${internalip} 25 setup
>
> # Allow setup of outgoing TCP connections only
> ${fwcmd} add pass tcp from ${internalip} to any setup
> ${fwcmd} add pass tcp from ${externalip} to any setup
>
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from any to any 53 keep-state
> ${fwcmd} add pass tcp from any to any 53 keep-state
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
> # Disallow setup of all other TCP connections
> ${fwcmd} add deny tcp from any to any setup
> ;;
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list