From owner-freebsd-questions Mon Sep 24 4:31:57 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132]) by hub.freebsd.org (Postfix) with SMTP id D04AB37B40F for ; Mon, 24 Sep 2001 04:31:50 -0700 (PDT) Received: (qmail 8130 invoked from network); 24 Sep 2001 11:42:50 -0000 Received: from unknown (HELO proxy.the-i-pa.com) (151.201.71.210) by mail.the-i-pa.com with SMTP; 24 Sep 2001 11:42:50 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Bill Moran Organization: Potential Technology To: RJ45 Subject: Re: STRANGE delay using NAT Date: Mon, 24 Sep 2001 07:34:53 -0400 X-Mailer: KMail [version 1.2] Cc: freebsd-questions@FreeBSD.ORG References: In-Reply-To: MIME-Version: 1.0 Message-Id: <01092407345303.00641@proxy.the-i-pa.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Monday 24 September 2001 03:41, RJ45 wrote: > thank you this look possbile true... > any hints you could have to solve this problem?? > thanks You could check the settings for ssh and see if you can turn off DNS checking (which may reduce the security of the connection). I don't know if ssh will let you do this or not. Another option is to tweak your /etc/hosts file to have a record in there that resolves quickly and make sure your resolve order has files first. I don't know if either of these will work - I haven't tried either of them, but they're possibilities. Keep in mind, that I'm not even sure if what I suggest is really the problem, it's just a theory. > On Sun, 23 Sep 2001, Bill Moran wrote: > > RJ45 wrote: > > > when I ssh x.y.z.v it takes around 3 minutes before prompting me for > > > the password. If I Instead ssh x.y.z.w (the gateway) and then ssh > > > 10.0.0.1 it takes around 5 seconds. > > > How come the response time with NAT is soooo damn slow ?? > > > IS there a way to fix the problem ?? > > > The problem is only in te first ssh authentication step, when SSH > > > communication is established the connection looks fast. > > > > Usually, this kind of thing indicates a DNS problem. Most secure stuff > > (like ssh) will do a reverse DNS lookup to verify the IP is not spoofed > > and put the data in the logs. Three minutes is about the time it takes > > to time out if nobody is providing reverse lookup information. > > I don't know the ssh suite of protocols that well, but here's my guess: > > ssh wants a reverse lookup before you log in (to help prevent spoofing > > and man-in-the-middle attacks) When you go from a machine to proxy, the > > reverse lookup for the proxy happens quick, then you ssh from proxy to > > 10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. > > However, when you ssh directly through the proxy to 10.0.0.1, your > > machine is trying to do a reverse lookup for 10.0.0.1 - but that's not a > > real Internet address, and no DNS servers on the Internet are going to > > resolve it. So, after waiting 3 minutes, it gives up and lets you > > connect anyway. > > > > This is just a guess. It assumes that the sshd process will be sending > > the IP addy back as part of the ssh protocol - I don't know if that's the > > case or not. But the whole 3 minute thing sounds a lot like DNS > > timeouts. -- Bill Moran Potential Technology technical services (412) 793-4257 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message