Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
10-30-2009, 03:00 PM
#1
Member
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39
Rep:
Ipfilters making my ssh connections slow
I need help with IPfilters. my ipf.conf begins with
block in on e1000g0 all
block out on e1000g0 all
I simply want to pass though ssh connections using the following
pass in quick on e1000g0 proto tcp from 10.40.xx.xx/24 to 1xx.xx.xx.44 port = ssh flags S/FSRPAU keep state keep frags
It works but it is EXTREMELY SLOW it can take up to 2 minutes for you to get a command prompt after entering the password. It operates normally after that though. And it does that no matter what order I put the rules in
What can I do to make my ssh connections instant?
10-30-2009, 04:31 PM
#2
Moderator
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
I would suspect naming resolution blocked by the filter rules.
11-02-2009, 07:12 AM
#3
Member
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39
Original Poster
Rep:
I nslookup works. and here is what i put in to make it work is there something else that I need for this to move speedily? I have pass out lines for those as well. What else should I do to unblock naming resolution?
Code:
# DNS
pass in quick on e1000g0 proto tcp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto udp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto tcp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
pass in quick on e1000g0 proto udp from 1xx.2xx.1xx.150 to 1xx.2xx.1xx.44 port = 53 keep state
Thanks for your help!
Last edited by red118a; 11-02-2009 at 07:13 AM .
11-02-2009, 07:46 AM
#4
Moderator
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
I would enable packet logging to figure out what ones are blocked and what they are about.
11-02-2009, 07:50 AM
#5
Member
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39
Original Poster
Rep:
how? what would you do? Thanks for your quick responses
11-02-2009, 08:07 AM
#6
Moderator
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Something like:
Code:
block in log body on e1000g0 all
block out log body on e1000g0 all
Then, after the problem is reproduced:
Last edited by jlliagre; 11-02-2009 at 08:14 AM .
11-02-2009, 08:21 AM
#7
Member
Registered: Nov 2003
Location: Decatur, Georgia
Distribution: Oracle Solaris 10, Fedora 14
Posts: 39
Original Poster
Rep:
Ok I reproduced the problem but im not sure how to read the log but this is what happens when the firewall is running and I try to ssh in
Code:
002/11/2009 10:04:59.175843 STATE:EXPIRE 130.207.192.44,65495 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175855 STATE:EXPIRE 130.207.192.44,65496 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175861 STATE:EXPIRE 130.207.192.44,65497 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175866 STATE:EXPIRE 130.207.192.44,65498 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175870 STATE:EXPIRE 130.207.192.44,65499 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175875 STATE:EXPIRE 130.207.192.44,65500 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175879 STATE:EXPIRE 130.207.192.44,65501 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 71 Backward: Pkts in 1 Bytes in 168 Pkts out 0 Bytes out 0
02/11/2009 10:04:59.175884 STATE:EXPIRE 130.207.192.44,65502 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 71 Backward: Pkts in 1 Bytes in 168 Pkts out 0 Bytes out 0
02/11/2009 10:05:01.402470 STATE:NEW 130.207.199.113,39450 -> 130.207.192.57,80 PR tcp
02/11/2009 10:05:02.971662 STATE:NEW 130.207.192.37,2973 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.973025 STATE:NEW 130.207.192.37,2976 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.973408 STATE:NEW 130.207.192.37,2977 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.976119 STATE:NEW 130.207.192.37,2982 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.978226 STATE:NEW 130.207.192.37,2986 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:02.978537 STATE:NEW 130.207.192.37,2987 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.979640 STATE:NEW 130.207.192.37,2989 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:02.980623 STATE:NEW 130.207.192.37,2991 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:03.175967 STATE:EXPIRE 130.207.192.44,65503 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 66 Backward: Pkts in 1 Bytes in 82 Pkts out 0 Bytes out 0
02/11/2009 10:05:04.176002 STATE:EXPIRE 130.207.199.113,37747 -> 130.207.192.44,161 PR udp Forward: Pkts in 1 Bytes in 71 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 81
02/11/2009 10:05:12.993656 STATE:NEW 130.207.192.37,3005 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:12.995007 STATE:NEW 130.207.192.37,3008 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:12.995294 STATE:NEW 130.207.192.37,3009 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:12.997819 STATE:NEW 130.207.192.37,3014 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:12.999789 STATE:NEW 130.207.192.37,3018 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:13.000082 STATE:NEW 130.207.192.37,3019 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:13.001057 STATE:NEW 130.207.192.37,3021 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:13.002048 STATE:NEW 130.207.192.37,3023 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:16.877285 STATE:NEW 130.207.192.44,65505 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.878071 STATE:NEW 130.207.192.44,65506 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.878704 STATE:NEW 130.207.192.44,65507 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.879376 STATE:NEW 130.207.192.44,65508 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:16.879937 STATE:NEW 130.207.192.44,65509 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:16.880499 STATE:NEW 130.207.192.44,65510 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:23.015649 STATE:NEW 130.207.192.37,3037 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.016998 STATE:NEW 130.207.192.37,3040 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.017284 STATE:NEW 130.207.192.37,3041 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.019661 STATE:NEW 130.207.192.37,3046 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.021631 STATE:NEW 130.207.192.37,3050 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:23.021942 STATE:NEW 130.207.192.37,3051 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.023043 STATE:NEW 130.207.192.37,3053 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:23.023887 STATE:NEW 130.207.192.37,3055 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:29.176875 STATE:EXPIRE 130.207.192.44,65505 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176889 STATE:EXPIRE 130.207.192.44,65506 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176895 STATE:EXPIRE 130.207.192.44,65507 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176900 STATE:EXPIRE 130.207.192.44,65508 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176905 STATE:EXPIRE 130.207.192.44,65509 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:29.176909 STATE:EXPIRE 130.207.192.44,65510 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:33.038334 STATE:NEW 130.207.192.37,3069 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.039674 STATE:NEW 130.207.192.37,3072 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.039978 STATE:NEW 130.207.192.37,3073 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.042354 STATE:NEW 130.207.192.37,3078 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.044461 STATE:NEW 130.207.192.37,3082 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:33.044757 STATE:NEW 130.207.192.37,3083 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.045732 STATE:NEW 130.207.192.37,3085 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:33.046718 STATE:NEW 130.207.192.37,3087 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.060034 STATE:NEW 130.207.192.37,3101 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.061384 STATE:NEW 130.207.192.37,3104 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.061674 STATE:NEW 130.207.192.37,3105 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.064053 STATE:NEW 130.207.192.37,3110 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.066163 STATE:NEW 130.207.192.37,3114 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:43.066458 STATE:NEW 130.207.192.37,3115 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.067435 STATE:NEW 130.207.192.37,3117 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:43.068420 STATE:NEW 130.207.192.37,3119 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:46.888335 STATE:NEW 130.207.192.44,65511 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.889108 STATE:NEW 130.207.192.44,65512 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.890026 STATE:NEW 130.207.192.44,65513 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.890557 STATE:NEW 130.207.192.44,65514 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:46.891259 STATE:NEW 130.207.192.44,65515 -> 130.207.199.150,53 PR udp
02/11/2009 10:05:46.891960 STATE:NEW 130.207.192.44,65516 -> 130.207.199.151,53 PR udp
02/11/2009 10:05:53.082020 STATE:NEW 130.207.192.37,3133 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.083365 STATE:NEW 130.207.192.37,3136 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.083655 STATE:NEW 130.207.192.37,3137 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.085895 STATE:NEW 130.207.192.37,3142 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.088014 STATE:NEW 130.207.192.37,3146 -> 130.207.192.44,80 PR tcp
02/11/2009 10:05:53.088300 STATE:NEW 130.207.192.37,3147 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.089278 STATE:NEW 130.207.192.37,3149 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:53.090263 STATE:NEW 130.207.192.37,3151 -> 130.207.192.44,443 PR tcp
02/11/2009 10:05:57.950676 STATE:NEW 130.207.199.113,39537 -> 130.207.192.57,80 PR tcp
02/11/2009 10:05:59.177916 STATE:EXPIRE 130.207.192.44,65511 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 79 Backward: Pkts in 1 Bytes in 138 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177929 STATE:EXPIRE 130.207.192.44,65512 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 77 Backward: Pkts in 1 Bytes in 152 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177934 STATE:EXPIRE 130.207.192.44,65513 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177940 STATE:EXPIRE 130.207.192.44,65514 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177945 STATE:EXPIRE 130.207.192.44,65515 -> 130.207.199.150,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:05:59.177949 STATE:EXPIRE 130.207.192.44,65516 -> 130.207.199.151,53 PR udp Forward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 63 Backward: Pkts in 1 Bytes in 63 Pkts out 0 Bytes out 0
02/11/2009 10:06:03.104144 STATE:NEW 130.207.192.37,3165 -> 130.207.192.44,80 PR tcp
02/11/2009 10:06:03.105493 STATE:NEW 130.207.192.37,3168 -> 130.207.192.44,80 PR tcp
02/11/2009 10:06:03.105779 STATE:NEW 130.207.192.37,3169 -> 130.207.192.44,443 PR tcp
02/11/2009 10:06:03.108305 STATE:NEW 130.207.192.37,3174 -> 130.207.192.44,443 PR tcp
02/11/2009 10:06:03.110413 STATE:NEW 130.207.192.37,3178 -> 130.207.192.44,80 PR tcp
Thanks for your help and time helping this problem. I edited this post because I was not logging the out packets
Last edited by red118a; 11-02-2009 at 09:10 AM .
11-02-2009, 02:58 PM
#8
Moderator
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Not sure it will help but you might want to try something like:
Code:
pass in quick on e1000g0 proto tcp from xxx to yyy port = 53 flags S keep state keep frags
Alternatively, you can disable the firewall and use snoop to capture and analyse the traffic.
All times are GMT -5. The time now is 11:53 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News