From owner-freebsd-security Tue Apr 16 15:35:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by hub.freebsd.org (Postfix) with ESMTP id 4E68537B416 for ; Tue, 16 Apr 2002 15:35:03 -0700 (PDT) Received: from falcon.midgard.homeip.net (h53n2fls20o913.telia.com [212.181.163.53]) by mailf.telia.com (8.11.6/8.11.6) with SMTP id g3GMZ1Z01218 for ; Wed, 17 Apr 2002 00:35:01 +0200 (CEST) Received: (qmail 502 invoked by uid 1001); 16 Apr 2002 22:35:00 -0000 Date: Wed, 17 Apr 2002 00:35:00 +0200 From: Erik Trulsson To: "Michael W. Collette" Cc: FreeBSD Mailing Lists Subject: Re: SSH Connection Time Problems Message-ID: <20020416223500.GA465@student.uu.se> Mail-Followup-To: "Michael W. Collette" , FreeBSD Mailing Lists References: <200204161523.37293.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204161523.37293.metrol@metrol.net> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote: [This should probably have gone to -questions instead.] > Recently I have had some problems with getting an SSH connection from my > FreeBSD 4.5-Stable box to my web hosting company's servers, also running > FreeBSD. It takes over a minute to establish a connection, which is really > mucking up the tunnelling of services I have going to them. Two possibilities come to mind: DNS or ident > Initially I was thinking that something changed on the web host, as I was able > to make http and pop3 connections to them without delay. Upon writing them > about this they suggested that the problem with network latency. Didn't make > much sense to me, as latency shouldn't be protocol specific. Even still, I > contacted my ISP about this. Probably not DNS then. > > The tech at my ISP didn't have any delay getting a connection to the web host. > He then set me up with a shell account on a RedHat box they were running > their hosting on. I was able to get an SSH connection directly to them > without delay. > > I'm running IPFW here, so I added a pass everything rule to cancel it out. No > difference. Try adding the following rule to your IPFW rule set. ipfw add reset tcp from any to me 113 Normally when you try to connect with ssh, the ssh daemon at the other end tries to connect to port 113 (auth) on your machine to see who you are. If nothing is listening on that port it will eventually continue anyway. The 'reset' rule I gave above will immediately return a 'nobody listening here' message to the other end instead of just dropping the packet and thus forcing the other to wait for a timeout (which takes about a minute.) -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message