Date: Mon, 8 Sep 2003 16:32:49 -0700 From: "Brent Wiese" <brently@bjwcs.com> To: "'Lay Tay'" <LTay@certicom.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: Slow SSH authentication with ipfw Message-ID: <20030908233241.MROJ28680.fed1mtao06.cox.net@SAMBA> In-Reply-To: <OF0560BA4C.0FB3CE13-ON85256D9B.007CF45F-88256D9B.007DBE7F@certicom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In my experience, this is almost always a DNS resolving issue. You have =
the
rule for DNS though...
Do you have an internal DNS resolver you could set in your resolv.conf? =
Take
the firewall out of the picture?=20
>=20
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org=20
> [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Lay Tay
> Sent: Monday, September 08, 2003 3:50 PM
> To: freebsd-questions@FreeBSD.ORG
>=20
>=20
>=20
>=20
>=20
> Hello,
>=20
> I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine
> (Pentium III 850 with 256MB RAM) as a firewall/router. I=20
> then have another
> similar machine setup internally with SSH service started=20
> (OpenSSH on a
> SuSE 8.1 Linux).
>=20
> Everything worked fine except that I noticed ssh connection=20
> takes a very
> long time. When I use PUTTY or WinSCP on a windows machine=20
> to connect to
> my internal machine, the authentication takes a very long=20
> time. WinSCP
> will alway timeout on the first try, when I hit "retry", the
> authentication goes through.
>=20
> This does not happen if I insert a "pass everything" rule in ipfw.
>=20
> I suspect my firewall rules has something to do with it. Can=20
> someone check
> and see if I'm doing something wrong? Thanks.
>=20
> Here's extract from my rc.firewall:
>=20
> internalip=3D"xxx.xxx.xxx.xxx"
> externalip=3D"xxx.xxx.xxx.xxx"
>=20
> # Stateful packet inspection
> ${fwcmd} add check-state
>=20
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>=20
> # Allow incoming HTTP request
> ${fwcmd} add pass tcp from any to ${internalip} 8080 setup
> ${fwcmd} add pass tcp from any to ${externalip} 80 setup
>=20
> # Allow incoming SSH connection
> ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state
>=20
> # Allow incoming FTP connections - Active Connection only
> ${fwcmd} add pass tcp from any to ${internalip} 21
> ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535
>=20
> # Allow setup of incoming email
> ${fwcmd} add pass tcp from any to ${internalip} 25 setup
>=20
> # Allow setup of outgoing TCP connections only
> ${fwcmd} add pass tcp from ${internalip} to any setup
> ${fwcmd} add pass tcp from ${externalip} to any setup
>=20
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from any to any 53 keep-state
> ${fwcmd} add pass tcp from any to any 53 keep-state
>=20
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>=20
> # Disallow setup of all other TCP connections
> ${fwcmd} add deny tcp from any to any setup
> ;;
>=20
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to=20
> "freebsd-questions-unsubscribe@freebsd.org"
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908233241.MROJ28680.fed1mtao06.cox.net>