Re: SSH Connection Time Problems

From: Erik Trulsson (ertr1013@student.uu.se)
Date: 04/17/02


Date: Wed, 17 Apr 2002 00:35:00 +0200
From: Erik Trulsson <ertr1013@student.uu.se>
To: "Michael W. Collette" <metrol@metrol.net>

On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote:

[This should probably have gone to -questions instead.]

> Recently I have had some problems with getting an SSH connection from my
> FreeBSD 4.5-Stable box to my web hosting company's servers, also running
> FreeBSD. It takes over a minute to establish a connection, which is really
> mucking up the tunnelling of services I have going to them.

Two possibilities come to mind: DNS or ident

> Initially I was thinking that something changed on the web host, as I was able
> to make http and pop3 connections to them without delay. Upon writing them
> about this they suggested that the problem with network latency. Didn't make
> much sense to me, as latency shouldn't be protocol specific. Even still, I
> contacted my ISP about this.

Probably not DNS then.

>
> The tech at my ISP didn't have any delay getting a connection to the web host.
> He then set me up with a shell account on a RedHat box they were running
> their hosting on. I was able to get an SSH connection directly to them
> without delay.
>
> I'm running IPFW here, so I added a pass everything rule to cancel it out. No
> difference.

Try adding the following rule to your IPFW rule set.

ipfw add reset tcp from any to me 113

Normally when you try to connect with ssh, the ssh daemon at the other
end tries to connect to port 113 (auth) on your machine to see who you
are. If nothing is listening on that port it will eventually continue
anyway.

The 'reset' rule I gave above will immediately return a 'nobody
listening here' message to the other end instead of just dropping the
packet and thus forcing the other to wait for a timeout (which takes
about a minute.)

-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@student.uu.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message