LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Solaris / OpenSolaris (http://www.linuxquestions.org/questions/solaris-opensolaris-20/)
-   -   Ipfilters making my ssh connections slow (http://www.linuxquestions.org/questions/solaris-opensolaris-20/ipfilters-making-my-ssh-connections-slow-765646/)

red118a 10-30-2009 03:00 PM

Ipfilters making my ssh connections slow
 
I need help with IPfilters. my ipf.conf begins with

block in on e1000g0 all
block out on e1000g0 all

I simply want to pass though ssh connections using the following
pass in quick on e1000g0 proto tcp from 10.40.xx.xx/24 to 1xx.xx.xx.44 port = ssh flags S/FSRPAU keep state keep frags

It works but it is EXTREMELY SLOW it can take up to 2 minutes for you to get a command prompt after entering the password. It operates normally after that though. And it does that no matter what order I put the rules in

What can I do to make my ssh connections instant?

jlliagre 10-30-2009 04:31 PM

I would suspect naming resolution blocked by the filter rules.

red118a 11-02-2009 07:12 AM

I nslookup works. and here is what i put in to make it work is there something else that I need for this to move speedily? I have pass out lines for those as well. What else should I do to unblock naming resolution?


Code:

# DNS
pass in quick on e1000g0 proto tcp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto udp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto tcp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto udp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state

Thanks for your help!

jlliagre 11-02-2009 07:46 AM

I would enable packet logging to figure out what ones are blocked and what they are about.

red118a 11-02-2009 07:50 AM

how? what would you do? Thanks for your quick responses

jlliagre 11-02-2009 08:07 AM

Something like:
Code:

block in log body on e1000g0 all
block out log body on e1000g0 all

Then, after the problem is reproduced:
Code:

ipmon -a

red118a 11-02-2009 08:21 AM

Ok I reproduced the problem but im not sure how to read the log but this is what happens when the firewall is running and I try to ssh in

Code:

002/11/2009 10:04:59.175843 STATE:EXPIRE 130.207.192.44,65495 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175855 STATE:EXPIRE 130.207.192.44,65496 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175861 STATE:EXPIRE 130.207.192.44,65497 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175866 STATE:EXPIRE 130.207.192.44,65498 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175870 STATE:EXPIRE 130.207.192.44,65499 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175875 STATE:EXPIRE 130.207.192.44,65500 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175879 STATE:EXPIRE 130.207.192.44,65501 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 71 Backward: Pkts in 1 Bytes in 168 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175884 STATE:EXPIRE 130.207.192.44,65502 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 71 Backward: Pkts in 1 Bytes in 168 Pkts out 0 Bytes out 0
02/11/2009 10:05:01.402470 STATE:NEW 130.207.199.113,39450 -> 130.207.192.57,80 PR tcp
02/11/2009 10:05:02.971662 STATE:NEW 130.207.192.37,2973 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.973025 STATE:NEW 130.207.192.37,2976 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.973408 STATE:NEW 130.207.192.37,2977 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.976119 STATE:NEW 130.207.192.37,2982 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.978226 STATE:NEW 130.207.192.37,2986 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.978537 STATE:NEW 130.207.192.37,2987 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.979640 STATE:NEW 130.207.192.37,2989 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.980623 STATE:NEW 130.207.192.37,2991 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:03.175967 STATE:EXPIRE 130.207.192.44,65503 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 66 Backward: Pkts in 1 Bytes in 82 Pkts out 0 Bytes out 0
02/11/2009 10:05:04.176002 STATE:EXPIRE 130.207.199.113,37747 -> 130.207.192.44,161 PR udp Forward: Pkts in 1 Bytes in 71 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 81
02/11/2009 10:05:12.993656 STATE:NEW 130.207.192.37,3005 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:12.995007 STATE:NEW 130.207.192.37,3008 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:12.995294 STATE:NEW 130.207.192.37,3009 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:12.997819 STATE:NEW 130.207.192.37,3014 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:12.999789 STATE:NEW 130.207.192.37,3018 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:13.000082 STATE:NEW 130.207.192.37,3019 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:13.001057 STATE:NEW 130.207.192.37,3021 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:13.002048 STATE:NEW 130.207.192.37,3023 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:16.877285 STATE:NEW 130.207.192.44,65505 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.878071 STATE:NEW 130.207.192.44,65506 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.878704 STATE:NEW 130.207.192.44,65507 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.879376 STATE:NEW 130.207.192.44,65508 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:16.879937 STATE:NEW 130.207.192.44,65509 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.880499 STATE:NEW 130.207.192.44,65510 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:23.015649 STATE:NEW 130.207.192.37,3037 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.016998 STATE:NEW 130.207.192.37,3040 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.017284 STATE:NEW 130.207.192.37,3041 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.019661 STATE:NEW 130.207.192.37,3046 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.021631 STATE:NEW 130.207.192.37,3050 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.021942 STATE:NEW 130.207.192.37,3051 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.023043 STATE:NEW 130.207.192.37,3053 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.023887 STATE:NEW 130.207.192.37,3055 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:29.176875 STATE:EXPIRE 130.207.192.44,65505 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176889 STATE:EXPIRE 130.207.192.44,65506 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176895 STATE:EXPIRE 130.207.192.44,65507 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176900 STATE:EXPIRE 130.207.192.44,65508 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176905 STATE:EXPIRE 130.207.192.44,65509 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176909 STATE:EXPIRE 130.207.192.44,65510 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:33.038334 STATE:NEW 130.207.192.37,3069 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.039674 STATE:NEW 130.207.192.37,3072 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.039978 STATE:NEW 130.207.192.37,3073 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.042354 STATE:NEW 130.207.192.37,3078 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.044461 STATE:NEW 130.207.192.37,3082 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.044757 STATE:NEW 130.207.192.37,3083 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.045732 STATE:NEW 130.207.192.37,3085 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.046718 STATE:NEW 130.207.192.37,3087 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.060034 STATE:NEW 130.207.192.37,3101 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.061384 STATE:NEW 130.207.192.37,3104 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.061674 STATE:NEW 130.207.192.37,3105 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.064053 STATE:NEW 130.207.192.37,3110 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.066163 STATE:NEW 130.207.192.37,3114 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.066458 STATE:NEW 130.207.192.37,3115 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.067435 STATE:NEW 130.207.192.37,3117 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.068420 STATE:NEW 130.207.192.37,3119 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:46.888335 STATE:NEW 130.207.192.44,65511 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.889108 STATE:NEW 130.207.192.44,65512 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.890026 STATE:NEW 130.207.192.44,65513 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.890557 STATE:NEW 130.207.192.44,65514 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:46.891259 STATE:NEW 130.207.192.44,65515 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.891960 STATE:NEW 130.207.192.44,65516 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:53.082020 STATE:NEW 130.207.192.37,3133 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.083365 STATE:NEW 130.207.192.37,3136 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.083655 STATE:NEW 130.207.192.37,3137 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.085895 STATE:NEW 130.207.192.37,3142 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.088014 STATE:NEW 130.207.192.37,3146 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.088300 STATE:NEW 130.207.192.37,3147 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.089278 STATE:NEW 130.207.192.37,3149 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.090263 STATE:NEW 130.207.192.37,3151 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:57.950676 STATE:NEW 130.207.199.113,39537 -> 130.207.192.57,80 PR tcp
02/11/2009 10:05:59.177916 STATE:EXPIRE 130.207.192.44,65511 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177929 STATE:EXPIRE 130.207.192.44,65512 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177934 STATE:EXPIRE 130.207.192.44,65513 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177940 STATE:EXPIRE 130.207.192.44,65514 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177945 STATE:EXPIRE 130.207.192.44,65515 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177949 STATE:EXPIRE 130.207.192.44,65516 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:06:03.104144 STATE:NEW 130.207.192.37,3165 -> 130.207.192.44,80 PR tcp
02/11/2009 10:06:03.105493 STATE:NEW 130.207.192.37,3168 -> 130.207.192.44,80 PR tcp
02/11/2009 10:06:03.105779 STATE:NEW 130.207.192.37,3169 -> 130.207.192.44,443 PR tcp
02/11/2009 10:06:03.108305 STATE:NEW 130.207.192.37,3174 -> 130.207.192.44,443 PR tcp
02/11/2009 10:06:03.110413 STATE:NEW 130.207.192.37,3178 -> 130.207.192.44,80 PR tcp

Thanks for your help and time helping this problem. I edited this post because I was not logging the out packets

jlliagre 11-02-2009 02:58 PM

Not sure it will help but you might want to try something like:
Code:

pass in quick on e1000g0 proto tcp from xxx to yyy port = 53 flags S keep state keep frags
Alternatively, you can disable the firewall and use snoop to capture and analyse the traffic.


All times are GMT -5. The time now is 10:12 AM.