From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 16:32:45 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E61D316A4BF for ; Mon, 8 Sep 2003 16:32:45 -0700 (PDT) Received: from fed1mtao06.cox.net (fed1mtao06.cox.net [68.6.19.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 082F643FE5 for ; Mon, 8 Sep 2003 16:32:45 -0700 (PDT) (envelope-from brently@bjwcs.com) Received: from SAMBA ([68.98.26.35]) by fed1mtao06.cox.net (InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with ESMTP id <20030908233241.MROJ28680.fed1mtao06.cox.net@SAMBA>; Mon, 8 Sep 2003 19:32:41 -0400 From: "Brent Wiese" To: "'Lay Tay'" , Date: Mon, 8 Sep 2003 16:32:49 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook, Build 11.0.4920 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcN2XC/ygKXfv9WCS3OnAypnFDxzGwABRKQQ In-Reply-To: Message-Id: <20030908233241.MROJ28680.fed1mtao06.cox.net@SAMBA> Subject: RE: Slow SSH authentication with ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 23:32:46 -0000 In my experience, this is almost always a DNS resolving issue. You have = the rule for DNS though... Do you have an internal DNS resolver you could set in your resolv.conf? = Take the firewall out of the picture?=20 >=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Lay Tay > Sent: Monday, September 08, 2003 3:50 PM > To: freebsd-questions@FreeBSD.ORG >=20 >=20 >=20 >=20 >=20 > Hello, >=20 > I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine > (Pentium III 850 with 256MB RAM) as a firewall/router. I=20 > then have another > similar machine setup internally with SSH service started=20 > (OpenSSH on a > SuSE 8.1 Linux). >=20 > Everything worked fine except that I noticed ssh connection=20 > takes a very > long time. When I use PUTTY or WinSCP on a windows machine=20 > to connect to > my internal machine, the authentication takes a very long=20 > time. WinSCP > will alway timeout on the first try, when I hit "retry", the > authentication goes through. >=20 > This does not happen if I insert a "pass everything" rule in ipfw. >=20 > I suspect my firewall rules has something to do with it. Can=20 > someone check > and see if I'm doing something wrong? Thanks. >=20 > Here's extract from my rc.firewall: >=20 > internalip=3D"xxx.xxx.xxx.xxx" > externalip=3D"xxx.xxx.xxx.xxx" >=20 > # Stateful packet inspection > ${fwcmd} add check-state >=20 > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established >=20 > # Allow incoming HTTP request > ${fwcmd} add pass tcp from any to ${internalip} 8080 setup > ${fwcmd} add pass tcp from any to ${externalip} 80 setup >=20 > # Allow incoming SSH connection > ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state >=20 > # Allow incoming FTP connections - Active Connection only > ${fwcmd} add pass tcp from any to ${internalip} 21 > ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535 >=20 > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${internalip} 25 setup >=20 > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass tcp from ${internalip} to any setup > ${fwcmd} add pass tcp from ${externalip} to any setup >=20 > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any to any 53 keep-state > ${fwcmd} add pass tcp from any to any 53 keep-state >=20 > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag >=20 > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > ;; >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20