From owner-freebsd-current Thu Mar 6 6:29:11 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F8D637B401 for ; Thu, 6 Mar 2003 06:29:10 -0800 (PST) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECF4843FAF for ; Thu, 6 Mar 2003 06:29:07 -0800 (PST) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id h26ESj912000; Thu, 6 Mar 2003 11:28:46 -0300 Message-ID: <3E675B1D.50605@tcoip.com.br> Date: Thu, 06 Mar 2003 11:28:45 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, pt-br, ja MIME-Version: 1.0 To: leafy Cc: freebsd-current@FreeBSD.ORG Subject: Re: IPFILTER broken as of world/kernel a few hours old References: <20030305062725.GA679@leafy.idv.tw> In-Reply-To: <20030305062725.GA679@leafy.idv.tw> Content-Type: text/plain; charset=Big5 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG leafy wrote: > With IPFILTER enabled in the kernel, all socket(2) calls > inbound/outbound are very slow. A normal SSH connection within the > same subnet takes 5 minutes to connect. Anything I can provide to pin > down the problem? Are you sure _all_ socket calls are slow? 5.0-R had reverse resolution for sshd (which happened no matter what the configuration said) run inside chrooted /var/empty, so if no /var/empty/etc/resolv.conf, nsswitch.conf, hosts, etc, existed, it would look up 127.0.0.1 (you can tcpdump -ni lo0 on the server to see if it does that when a new ssh connection arrives). If blackhole or firewall was used, no answer would be returned to this dns request, and the ssh login would lag for a long time. BTW, what font are you using? When on FreeBSD, with Mozilla, your messages are all but unreadable. --=20 Daniel C. Sobral Gere^ncia de Operac,o~es Divisa~o de Comunicac,a~o de Dados Coordenac,a~o de Seguranc,a TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message