Date: Mon, 8 Sep 2003 15:50:00 -0700 From: Lay Tay <LTay@certicom.com> To: <freebsd-questions@FreeBSD.ORG> Subject: Slow SSH authentication with ipfw Message-ID: <OF0560BA4C.0FB3CE13-ON85256D9B.007CF45F-88256D9B.007DBE7F@certicom.com>
next in thread | raw e-mail | index | archive | help
Hello, I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine (Pentium III 850 with 256MB RAM) as a firewall/router. I then have another similar machine setup internally with SSH service started (OpenSSH on a SuSE 8.1 Linux). Everything worked fine except that I noticed ssh connection takes a very long time. When I use PUTTY or WinSCP on a windows machine to connect to my internal machine, the authentication takes a very long time. WinSCP will alway timeout on the first try, when I hit "retry", the authentication goes through. This does not happen if I insert a "pass everything" rule in ipfw. I suspect my firewall rules has something to do with it. Can someone check and see if I'm doing something wrong? Thanks. Here's extract from my rc.firewall: internalip="xxx.xxx.xxx.xxx" externalip="xxx.xxx.xxx.xxx" # Stateful packet inspection ${fwcmd} add check-state # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow incoming HTTP request ${fwcmd} add pass tcp from any to ${internalip} 8080 setup ${fwcmd} add pass tcp from any to ${externalip} 80 setup # Allow incoming SSH connection ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state # Allow incoming FTP connections - Active Connection only ${fwcmd} add pass tcp from any to ${internalip} 21 ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535 # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${internalip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${internalip} to any setup ${fwcmd} add pass tcp from ${externalip} to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any to any 53 keep-state ${fwcmd} add pass tcp from any to any 53 keep-state # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup ;;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF0560BA4C.0FB3CE13-ON85256D9B.007CF45F-88256D9B.007DBE7F>