From owner-freebsd-questions Sun Sep 23 14: 5: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id 507E437B401 for ; Sun, 23 Sep 2001 14:04:57 -0700 (PDT) Received: from iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f8NL0up13648; Sun, 23 Sep 2001 17:00:56 -0400 (EDT) Message-ID: <3BAE4EBA.D4EBA2E9@iowna.com> Date: Sun, 23 Sep 2001 17:06:02 -0400 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: RJ45 Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE delay using NAT References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG RJ45 wrote: > when I ssh x.y.z.v it takes around 3 minutes before prompting me for the > password. If I Instead ssh x.y.z.w (the gateway) and then ssh 10.0.0.1 > it takes around 5 seconds. > How come the response time with NAT is soooo damn slow ?? > IS there a way to fix the problem ?? > The problem is only in te first ssh authentication step, when SSH > communication is established the connection looks fast. Usually, this kind of thing indicates a DNS problem. Most secure stuff (like ssh) will do a reverse DNS lookup to verify the IP is not spoofed and put the data in the logs. Three minutes is about the time it takes to time out if nobody is providing reverse lookup information. I don't know the ssh suite of protocols that well, but here's my guess: ssh wants a reverse lookup before you log in (to help prevent spoofing and man-in-the-middle attacks) When you go from a machine to proxy, the reverse lookup for the proxy happens quick, then you ssh from proxy to 10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. However, when you ssh directly through the proxy to 10.0.0.1, your machine is trying to do a reverse lookup for 10.0.0.1 - but that's not a real Internet address, and no DNS servers on the Internet are going to resolve it. So, after waiting 3 minutes, it gives up and lets you connect anyway. This is just a guess. It assumes that the sshd process will be sending the IP addy back as part of the ssh protocol - I don't know if that's the case or not. But the whole 3 minute thing sounds a lot like DNS timeouts. -- "Where's the robot to pat you on the back?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message