Date: Mon, 8 Sep 2003 16:32:49 -0700 From: "Brent Wiese" <brently@bjwcs.com> To: "'Lay Tay'" <LTay@certicom.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: Slow SSH authentication with ipfw Message-ID: <20030908233241.MROJ28680.fed1mtao06.cox.net@SAMBA> In-Reply-To: <OF0560BA4C.0FB3CE13-ON85256D9B.007CF45F-88256D9B.007DBE7F@certicom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In my experience, this is almost always a DNS resolving issue. You have = the rule for DNS though... Do you have an internal DNS resolver you could set in your resolv.conf? = Take the firewall out of the picture?=20 >=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Lay Tay > Sent: Monday, September 08, 2003 3:50 PM > To: freebsd-questions@FreeBSD.ORG >=20 >=20 >=20 >=20 >=20 > Hello, >=20 > I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine > (Pentium III 850 with 256MB RAM) as a firewall/router. I=20 > then have another > similar machine setup internally with SSH service started=20 > (OpenSSH on a > SuSE 8.1 Linux). >=20 > Everything worked fine except that I noticed ssh connection=20 > takes a very > long time. When I use PUTTY or WinSCP on a windows machine=20 > to connect to > my internal machine, the authentication takes a very long=20 > time. WinSCP > will alway timeout on the first try, when I hit "retry", the > authentication goes through. >=20 > This does not happen if I insert a "pass everything" rule in ipfw. >=20 > I suspect my firewall rules has something to do with it. Can=20 > someone check > and see if I'm doing something wrong? Thanks. >=20 > Here's extract from my rc.firewall: >=20 > internalip=3D"xxx.xxx.xxx.xxx" > externalip=3D"xxx.xxx.xxx.xxx" >=20 > # Stateful packet inspection > ${fwcmd} add check-state >=20 > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established >=20 > # Allow incoming HTTP request > ${fwcmd} add pass tcp from any to ${internalip} 8080 setup > ${fwcmd} add pass tcp from any to ${externalip} 80 setup >=20 > # Allow incoming SSH connection > ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state >=20 > # Allow incoming FTP connections - Active Connection only > ${fwcmd} add pass tcp from any to ${internalip} 21 > ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535 >=20 > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${internalip} 25 setup >=20 > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass tcp from ${internalip} to any setup > ${fwcmd} add pass tcp from ${externalip} to any setup >=20 > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any to any 53 keep-state > ${fwcmd} add pass tcp from any to any 53 keep-state >=20 > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag >=20 > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > ;; >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908233241.MROJ28680.fed1mtao06.cox.net>