Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Sep 2003 11:45:25 -0700
From:      Lay Tay <LTay@certicom.com>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Slow NAT firewall
Message-ID:  <OF9E4E2FF8.DEE0C3D1-ON85256DA2.0066F11D-88256DA2.00675B85@certicom.com>
next in thread | raw e-mail | index | archive | help 




Hello,

I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine
(Pentium III 850 with 256MB RAM) as a firewall/router.  I then have another
similar machine setup internally with SSH service started (OpenSSH on a
SuSE 8.1 Linux).

Everything worked fine except that I noticed ssh connection takes a very
long time.  When I use PUTTY or WinSCP on a windows machine to connect to
my internal machine, the authentication takes a very long time.  WinSCP
will alway timeout on the first try, when  I hit "retry", the
authentication goes through.

This does not happen if I insert a "pass everything" rule in ipfw.

I suspect my firewall rules has something to do with it.  Can someone check
and see if I'm doing something wrong?  Thanks.

Here's extract from my rc.firewall:

internalip="xxx.xxx.xxx.xxx"
externalip="xxx.xxx.xxx.xxx"

# Stateful packet inspection
${fwcmd} add check-state

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow incoming HTTP request
${fwcmd} add pass tcp from any to ${internalip} 8080 setup
${fwcmd} add pass tcp from any to ${externalip} 80 setup

# Allow incoming SSH connection
${fwcmd} add pass tcp from any to ${internalip} 22 keep-state

# Allow incoming FTP connections - Active Connection only
${fwcmd} add pass tcp from any to ${internalip} 21
${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535

# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${internalip} 25 setup

# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${internalip} to any setup
${fwcmd} add pass tcp from ${externalip} to any setup

# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state
${fwcmd} add pass tcp from any to any 53 keep-state

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
;;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF9E4E2FF8.DEE0C3D1-ON85256DA2.0066F11D-88256DA2.00675B85>