Slow SSH authentication with ipfw

• Previous message: thomas may: "freebsd xmailserver and php mail() function"
• Next in thread: Brent Wiese: "RE: Slow SSH authentication with ipfw"
• Reply: Brent Wiese: "RE: Slow SSH authentication with ipfw"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: <freebsd-questions@FreeBSD.ORG>
Date: Mon, 8 Sep 2003 15:50:00 -0700

Hello,

I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine
(Pentium III 850 with 256MB RAM) as a firewall/router. I then have another
similar machine setup internally with SSH service started (OpenSSH on a
SuSE 8.1 Linux).

Everything worked fine except that I noticed ssh connection takes a very
long time. When I use PUTTY or WinSCP on a windows machine to connect to
my internal machine, the authentication takes a very long time. WinSCP
will alway timeout on the first try, when I hit "retry", the
authentication goes through.

This does not happen if I insert a "pass everything" rule in ipfw.

I suspect my firewall rules has something to do with it. Can someone check
and see if I'm doing something wrong? Thanks.

Here's extract from my rc.firewall:

internalip="xxx.xxx.xxx.xxx"
externalip="xxx.xxx.xxx.xxx"

# Stateful packet inspection
${fwcmd} add check-state

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow incoming HTTP request
${fwcmd} add pass tcp from any to ${internalip} 8080 setup
${fwcmd} add pass tcp from any to ${externalip} 80 setup

# Allow incoming SSH connection
${fwcmd} add pass tcp from any to ${internalip} 22 keep-state

# Allow incoming FTP connections - Active Connection only
${fwcmd} add pass tcp from any to ${internalip} 21
${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535

# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${internalip} 25 setup

# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${internalip} to any setup
${fwcmd} add pass tcp from ${externalip} to any setup

# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state
${fwcmd} add pass tcp from any to any 53 keep-state

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
;;

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: thomas may: "freebsd xmailserver and php mail() function"
• Next in thread: Brent Wiese: "RE: Slow SSH authentication with ipfw"
• Reply: Brent Wiese: "RE: Slow SSH authentication with ipfw"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: ipfw and ssh ... ${fwcmd} add pass all from $to $:$ ... This allows any existing TCP connections to work. ... This way you only need one rule (setup) for each inbound service you want. ... This will allow anyone access to my system through SSH provided they can authenticate. ... (freebsd-questions) Slow NAT firewall ... # Allow TCP through if setup succeeded ... ${fwcmd} add pass tcp from any to any established ... $add pass tcp from any to ${internalip} 22 keep-state ... (freebsd-questions) Re: firewalling help/audit ... > # Setup Loopback ... > $fwcmd add deny log tcp from any to any in tcpflags syn,fin ... (FreeBSD-Security) Re: Help with ipfw rules to allow DNS queries through ... Try replacing your DNS rules with this: ... ${fwcmd} add pass tcp from any to $53 setup ... > there is a UDP and a TCP component to DNS queries, ... (FreeBSD-Security) Re: IPFW: Blocking me out. How to debug? ... add allow tcp from any to any ftp in setup ... Passive mode needs allowing connections to this port range ... add deny log ip from any to 0.0.0.0/8 in ... (freebsd-questions)