LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris and OpenSolaris.
General Sun, SunOS and Sparc related questions also go here.

Notices

Reply
 
Search this Thread
Old 10-30-2009, 03:00 PM   #1
red118a
Member
 
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39

Rep: Reputation: 15
Unhappy Ipfilters making my ssh connections slow


I need help with IPfilters. my ipf.conf begins with

block in on e1000g0 all
block out on e1000g0 all

I simply want to pass though ssh connections using the following
pass in quick on e1000g0 proto tcp from 10.40.xx.xx/24 to 1xx.xx.xx.44 port = ssh flags S/FSRPAU keep state keep frags

It works but it is EXTREMELY SLOW it can take up to 2 minutes for you to get a command prompt after entering the password. It operates normally after that though. And it does that no matter what order I put the rules in

What can I do to make my ssh connections instant?
 
Old 10-30-2009, 04:31 PM   #2
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,492

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
I would suspect naming resolution blocked by the filter rules.
 
Old 11-02-2009, 07:12 AM   #3
red118a
Member
 
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39

Original Poster
Rep: Reputation: 15
I nslookup works. and here is what i put in to make it work is there something else that I need for this to move speedily? I have pass out lines for those as well. What else should I do to unblock naming resolution?


Code:
# DNS
pass in quick on e1000g0 proto tcp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto udp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto tcp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto udp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
Thanks for your help!

Last edited by red118a; 11-02-2009 at 07:13 AM.
 
Old 11-02-2009, 07:46 AM   #4
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,492

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
I would enable packet logging to figure out what ones are blocked and what they are about.
 
Old 11-02-2009, 07:50 AM   #5
red118a
Member
 
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39

Original Poster
Rep: Reputation: 15
how? what would you do? Thanks for your quick responses
 
Old 11-02-2009, 08:07 AM   #6
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,492

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
Something like:
Code:
block in log body on e1000g0 all
block out log body on e1000g0 all
Then, after the problem is reproduced:
Code:
ipmon -a

Last edited by jlliagre; 11-02-2009 at 08:14 AM.
 
Old 11-02-2009, 08:21 AM   #7
red118a
Member
 
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39

Original Poster
Rep: Reputation: 15
Ok I reproduced the problem but im not sure how to read the log but this is what happens when the firewall is running and I try to ssh in

Code:
002/11/2009 10:04:59.175843 STATE:EXPIRE 130.207.192.44,65495 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175855 STATE:EXPIRE 130.207.192.44,65496 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175861 STATE:EXPIRE 130.207.192.44,65497 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175866 STATE:EXPIRE 130.207.192.44,65498 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175870 STATE:EXPIRE 130.207.192.44,65499 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175875 STATE:EXPIRE 130.207.192.44,65500 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175879 STATE:EXPIRE 130.207.192.44,65501 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 71 Backward: Pkts in 1 Bytes in 168 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175884 STATE:EXPIRE 130.207.192.44,65502 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 71 Backward: Pkts in 1 Bytes in 168 Pkts out 0 Bytes out 0
02/11/2009 10:05:01.402470 STATE:NEW 130.207.199.113,39450 -> 130.207.192.57,80 PR tcp
02/11/2009 10:05:02.971662 STATE:NEW 130.207.192.37,2973 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.973025 STATE:NEW 130.207.192.37,2976 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.973408 STATE:NEW 130.207.192.37,2977 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.976119 STATE:NEW 130.207.192.37,2982 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.978226 STATE:NEW 130.207.192.37,2986 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.978537 STATE:NEW 130.207.192.37,2987 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.979640 STATE:NEW 130.207.192.37,2989 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.980623 STATE:NEW 130.207.192.37,2991 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:03.175967 STATE:EXPIRE 130.207.192.44,65503 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 66 Backward: Pkts in 1 Bytes in 82 Pkts out 0 Bytes out 0
02/11/2009 10:05:04.176002 STATE:EXPIRE 130.207.199.113,37747 -> 130.207.192.44,161 PR udp Forward: Pkts in 1 Bytes in 71 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 81
02/11/2009 10:05:12.993656 STATE:NEW 130.207.192.37,3005 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:12.995007 STATE:NEW 130.207.192.37,3008 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:12.995294 STATE:NEW 130.207.192.37,3009 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:12.997819 STATE:NEW 130.207.192.37,3014 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:12.999789 STATE:NEW 130.207.192.37,3018 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:13.000082 STATE:NEW 130.207.192.37,3019 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:13.001057 STATE:NEW 130.207.192.37,3021 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:13.002048 STATE:NEW 130.207.192.37,3023 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:16.877285 STATE:NEW 130.207.192.44,65505 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.878071 STATE:NEW 130.207.192.44,65506 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.878704 STATE:NEW 130.207.192.44,65507 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.879376 STATE:NEW 130.207.192.44,65508 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:16.879937 STATE:NEW 130.207.192.44,65509 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.880499 STATE:NEW 130.207.192.44,65510 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:23.015649 STATE:NEW 130.207.192.37,3037 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.016998 STATE:NEW 130.207.192.37,3040 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.017284 STATE:NEW 130.207.192.37,3041 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.019661 STATE:NEW 130.207.192.37,3046 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.021631 STATE:NEW 130.207.192.37,3050 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.021942 STATE:NEW 130.207.192.37,3051 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.023043 STATE:NEW 130.207.192.37,3053 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.023887 STATE:NEW 130.207.192.37,3055 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:29.176875 STATE:EXPIRE 130.207.192.44,65505 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176889 STATE:EXPIRE 130.207.192.44,65506 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176895 STATE:EXPIRE 130.207.192.44,65507 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176900 STATE:EXPIRE 130.207.192.44,65508 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176905 STATE:EXPIRE 130.207.192.44,65509 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176909 STATE:EXPIRE 130.207.192.44,65510 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:33.038334 STATE:NEW 130.207.192.37,3069 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.039674 STATE:NEW 130.207.192.37,3072 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.039978 STATE:NEW 130.207.192.37,3073 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.042354 STATE:NEW 130.207.192.37,3078 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.044461 STATE:NEW 130.207.192.37,3082 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.044757 STATE:NEW 130.207.192.37,3083 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.045732 STATE:NEW 130.207.192.37,3085 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.046718 STATE:NEW 130.207.192.37,3087 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.060034 STATE:NEW 130.207.192.37,3101 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.061384 STATE:NEW 130.207.192.37,3104 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.061674 STATE:NEW 130.207.192.37,3105 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.064053 STATE:NEW 130.207.192.37,3110 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.066163 STATE:NEW 130.207.192.37,3114 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.066458 STATE:NEW 130.207.192.37,3115 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.067435 STATE:NEW 130.207.192.37,3117 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.068420 STATE:NEW 130.207.192.37,3119 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:46.888335 STATE:NEW 130.207.192.44,65511 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.889108 STATE:NEW 130.207.192.44,65512 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.890026 STATE:NEW 130.207.192.44,65513 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.890557 STATE:NEW 130.207.192.44,65514 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:46.891259 STATE:NEW 130.207.192.44,65515 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.891960 STATE:NEW 130.207.192.44,65516 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:53.082020 STATE:NEW 130.207.192.37,3133 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.083365 STATE:NEW 130.207.192.37,3136 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.083655 STATE:NEW 130.207.192.37,3137 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.085895 STATE:NEW 130.207.192.37,3142 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.088014 STATE:NEW 130.207.192.37,3146 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.088300 STATE:NEW 130.207.192.37,3147 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.089278 STATE:NEW 130.207.192.37,3149 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.090263 STATE:NEW 130.207.192.37,3151 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:57.950676 STATE:NEW 130.207.199.113,39537 -> 130.207.192.57,80 PR tcp
02/11/2009 10:05:59.177916 STATE:EXPIRE 130.207.192.44,65511 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177929 STATE:EXPIRE 130.207.192.44,65512 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177934 STATE:EXPIRE 130.207.192.44,65513 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177940 STATE:EXPIRE 130.207.192.44,65514 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177945 STATE:EXPIRE 130.207.192.44,65515 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177949 STATE:EXPIRE 130.207.192.44,65516 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:06:03.104144 STATE:NEW 130.207.192.37,3165 -> 130.207.192.44,80 PR tcp
02/11/2009 10:06:03.105493 STATE:NEW 130.207.192.37,3168 -> 130.207.192.44,80 PR tcp
02/11/2009 10:06:03.105779 STATE:NEW 130.207.192.37,3169 -> 130.207.192.44,443 PR tcp
02/11/2009 10:06:03.108305 STATE:NEW 130.207.192.37,3174 -> 130.207.192.44,443 PR tcp
02/11/2009 10:06:03.110413 STATE:NEW 130.207.192.37,3178 -> 130.207.192.44,80 PR tcp
Thanks for your help and time helping this problem. I edited this post because I was not logging the out packets

Last edited by red118a; 11-02-2009 at 09:10 AM.
 
Old 11-02-2009, 02:58 PM   #8
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,492

Rep: Reputation: 355Reputation: 355Reputation: 355Reputation: 355
Not sure it will help but you might want to try something like:
Code:
pass in quick on e1000g0 proto tcp from xxx to yyy port = 53 flags S keep state keep frags
Alternatively, you can disable the firewall and use snoop to capture and analyse the traffic.
 
  


Reply

Tags
firewall, help, quick, rules, security, solaris, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
network connections suddenly slow to respond (ssh, mythtv) except pings are instant joe_259 Linux - Networking 1 10-19-2008 08:36 PM
SuseLinux10 ssh connections are slow davidstvz Linux - Newbie 4 08-22-2008 02:58 PM
Making Connections Takes Too Long LinuxCrayon Linux - Networking 4 02-10-2008 02:59 PM
programs making outbound connections six6 Debian 2 11-03-2004 11:04 PM
Non-existing IP addresses making connections? J_Szucs Linux - Networking 9 11-05-2003 09:44 AM


All times are GMT -5. The time now is 08:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration