In my experience, this is almost always a DNS resolving issue. You have the rule for DNS though...
Do you have an internal DNS resolver you could set in your resolv.conf? Take the firewall out of the picture? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lay Tay > Sent: Monday, September 08, 2003 3:50 PM > To: [EMAIL PROTECTED] > > > > > > Hello, > > I've configured a FreeBSE v4.8 STABLE system on a HP Vectra machine > (Pentium III 850 with 256MB RAM) as a firewall/router. I > then have another > similar machine setup internally with SSH service started > (OpenSSH on a > SuSE 8.1 Linux). > > Everything worked fine except that I noticed ssh connection > takes a very > long time. When I use PUTTY or WinSCP on a windows machine > to connect to > my internal machine, the authentication takes a very long > time. WinSCP > will alway timeout on the first try, when I hit "retry", the > authentication goes through. > > This does not happen if I insert a "pass everything" rule in ipfw. > > I suspect my firewall rules has something to do with it. Can > someone check > and see if I'm doing something wrong? Thanks. > > Here's extract from my rc.firewall: > > internalip="xxx.xxx.xxx.xxx" > externalip="xxx.xxx.xxx.xxx" > > # Stateful packet inspection > ${fwcmd} add check-state > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow incoming HTTP request > ${fwcmd} add pass tcp from any to ${internalip} 8080 setup > ${fwcmd} add pass tcp from any to ${externalip} 80 setup > > # Allow incoming SSH connection > ${fwcmd} add pass tcp from any to ${internalip} 22 keep-state > > # Allow incoming FTP connections - Active Connection only > ${fwcmd} add pass tcp from any to ${internalip} 21 > ${fwcmd} add pass tcp from ${internalip} 20 to any 1024-65535 > > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${internalip} 25 setup > > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass tcp from ${internalip} to any setup > ${fwcmd} add pass tcp from ${externalip} to any setup > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any to any 53 keep-state > ${fwcmd} add pass tcp from any to any 53 keep-state > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > ;; > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"