ipfw slow ssh and ftp connections

dwildgoose · May 6, 2005, 11:20am

just as the title says.
thanks.

#General Rule Sets
/sbin/ipfw add 0300 check-state
/sbin/ipfw add 0301 deny tcp from any to any in established
/sbin/ipfw add 0302 pass tcp from any to any out setup keep-state
/sbin/ipfw add 0303 pass udp from any to any out

#SSH FTP
/sbin/ipfw add 0400 pass tcp from any to any 22 in setup keep-state
/sbin/ipfw add 0401 pass tcp from any to any 21 in setup keep-state

#HTTP HTTPS
/sbin/ipfw add 0500 pass tcp from any to any 80 in setup keep-state
/sbin/ipfw add 0501 pass tcp from any to any 443 in setup keep-state

#IMAP IMAPS POP3 SMTP
/sbin/ipfw add 0600 pass udp from any to any 25 in
/sbin/ipfw add 0601 pass tcp from any to any 25 in setup keep-state
/sbin/ipfw add 0602 pass tcp from any to any 143 in setup keep-state
/sbin/ipfw add 0603 pass udp from any to any 143 in
/sbin/ipfw add 0604 pass tcp from any to any 993 in setup keep-state
/sbin/ipfw add 0605 pass tcp from any to any 110 in setup keep-state
/sbin/ipfw add 0606 pass udp from any to any 110 in

#DNS
/sbin/ipfw add 0700 pass udp from any to any 53 in
/sbin/ipfw add 0701 pass tcp from any to any 53 in setup keep-state
/sbin/ipfw add 0702 pass udp from xxx.xxx.xxx.xxx to any in
/sbin/ipfw add 0703 pass udp from xxx.xxx.xxx.xxx to any in

dwildgoose · May 12, 2005, 12:07pm

no ideas anyone ? dns is not an issue, when connecting with the IP of this box logging in is still slow.

Perderabo · May 12, 2005, 12:11pm

After you connect to the box, from that box, do a reverse dns lookup on the ip address that you originate from. Is that is slow, then this is a dns issue.

dwildgoose · May 12, 2005, 9:31pm

the reverse lookup took about 8-9 seconds.

Perderabo · May 12, 2005, 10:24pm

Well, how does that compare with the login delay? The box will do a reverse dns lookup to log the connection.

dwildgoose · May 12, 2005, 10:52pm

about the same, so should i double check my reverse dns configuration on the ssh server ?

Perderabo · May 13, 2005, 1:11am

That is a little slow for dns, I would check out the dns setup to try and find out why. I guess...actually 8 or 9 seconds probably wouldn't be much motivation. You can do stuff like setting up a caching-only name server on the target box. Or even use a hosts file. You probably can also configure your ftp server and ssh server to log ip addresses only. There are lots of options now that you know where the delay is.

locustfurnace · May 13, 2005, 12:28pm

I use DNSmasq on my FreeBSD box and on all my Slackware-Linux machines, its a simple DNS cache to setup.
It should be available in the ports collection.

dwildgoose · May 17, 2005, 11:21am

What would be causing the slow reverse lookups? When this box wasn't running ipfw my ssh and ftp logins were quick. Also isn't my ISP responsible for my reverse dns?

Also, can I not configure BIND to do the caching ?

dwildgoose · May 17, 2005, 12:01pm

this is what I have tried so far.

I started an ssh connection to my server at work.

then i did a reverse lookup back to the client from my server.

# host 23.44.55.66
66.55.44.23.IN-ADDR.ARPA domain name pointer s23-44-55-66.ab.hsia.telus.net

then i tried adding an entry into /etc/hosts

23.44.55.66 s23-44-55-66.ab.hsia.telus.net

still slow logins..

this server is running bind, and a reverse zone file is made, why am i getting a reverse lookup from my isp ?

also, from users i have talked to in #freebsdhelp on efnet, bind caches by default.

dwildgoose · May 17, 2005, 1:55pm

to add further..
i added localhost to /etc/resolv.conf

nslookup even on www.google.ca dies...

# nslookup www.google.ca
*** Can't find server name for address 127.0.0.1: Timed out
*** Can't find server name for address 154.11.129.59: Timed out

something wrong, and im lost......

i still think its my firewall guys...

dwildgoose · May 18, 2005, 5:00pm

thanks all! figured it out allowed connections from me to my loopback device