From owner-freebsd-questions@FreeBSD.ORG Mon Sep 15 11:49:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D95216A4BF for ; Mon, 15 Sep 2003 11:49:42 -0700 (PDT) Received: from mail.ca.certicom.com (ns.ca.certicom.com [66.48.18.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83F3843FEC for ; Mon, 15 Sep 2003 11:49:37 -0700 (PDT) (envelope-from LTay@certicom.com) Received: from localhost (storm [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id DBB101072A for ; Mon, 15 Sep 2003 14:49:36 -0400 (EDT) Received: from mail.ca.certicom.com ([127.0.0.1]) by localhost (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02337-68 for ; Mon, 15 Sep 2003 14:49:36 -0400 (EDT) Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id AE56A10638 for ; Mon, 15 Sep 2003 14:49:35 -0400 (EDT) To: freebsd-questions@FreeBSD.ORG X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003 Message-ID: From: Lay Tay Date: Mon, 15 Sep 2003 11:45:25 -0700 X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.0.1|February 07, 2003) at 09/15/2003 02:45:27 PM MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Subject: Slow NAT firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 18:49:42 -0000 Hello, I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine (Pentium III 850 with 256MB RAM) as a firewall/router. I then have another similar machine setup internally with SSH service started (OpenSSH on a SuSE 8.1 Linux). Everything worked fine except that I noticed ssh connection takes a very long time. When I use PUTTY or WinSCP on a windows machine to connect to my internal machine, the authentication takes a very long time. WinSCP will alway timeout on the first try, when I hit "retry", the authentication goes through. This does not happen if I insert a "pass everything" rule in ipfw. I suspect my firewall rules has something to do with it. Can someone check and see if I'm doing something wrong? Thanks. Here's extract from my rc.firewall: internalip="xxx.xxx.xxx.xxx" externalip="xxx.xxx.xxx.xxx" # Stateful packet inspection ${fwcmd} add check-state # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow incoming HTTP request ${fwcmd} add pass tcp from any to ${internalip} 8080 setup ${fwcmd} add pass tcp from any to ${externalip} 80 setup # Allow incoming SSH connection ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state # Allow incoming FTP connections - Active Connection only ${fwcmd} add pass tcp from any to ${internalip} 21 ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535 # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${internalip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${internalip} to any setup ${fwcmd} add pass tcp from ${externalip} to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any to any 53 keep-state ${fwcmd} add pass tcp from any to any 53 keep-state # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup ;;