[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: slow ssh with ipnat rules
From:       Erik Hovland <ehovland () huey ! jpl ! nasa ! gov>
Date:       2000-12-21 21:50:50
[Download RAW message or body]

On Wed, 20 Dec 2000, Clayton Fiske wrote:

> Date: Wed, 20 Dec 2000 16:29:58 -0800
> From: Clayton Fiske <clay@bloomcounty.org>
> To: Erik Hovland <ehovland@huey.jpl.nasa.gov>
> Cc: ipfilter@coombs.anu.edu.au
> Subject: Re: slow ssh with ipnat rules
> 
> On Wed, Dec 20, 2000 at 04:16:03PM -0800, Erik Hovland wrote:
> > We just installed ipfilter 3.4.15 on a Ultra80 running solaris 8 6/00. We
> > have no filter rules currently, only NAT rules, they are:
> > map hme0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
> > map hme0 192.168.100.0/24 -> 0/32 portmap tcp/udp 40000:60000
> > map hme0 192.168.100.0/24 -> 0/32
> > 
> > Everything is rosy, except if one connects to the NAT box and the tries to
> > connect to any of the boxes behind the NAT box, like so:
> > dilbert> ssh asok
> > asok> ssh pointy
> > ... get a cup of coffee, read your email, search deja
> > password for ehovland@pointy:
> > 
> > Where the network looks like:
> > Internet=======asok=====pointy
> >                NAT box  NAT client
> > 
> > The connection eventually sets up but is painfully slow. Only ssh does
> > this, all other services work like a charm (where enabled). If we turn NAT
> > off, everything works fine. Another point is that ssh is Portable OpenSSH
> > 2.3.0p1. There should be no ipv6 involved, only 'ol ipv4. The
> > network connection between them is a fiber and two Sun GE 2.0
> > ethernet cards. The NAT client is running solaris 2.6 fully patched.
> 
> You're using private space when you have NAT turned on, right?

Yes, see rule set above.

> If so, the reason it's taking so long is probably that sshd is trying to
> resolve that private address to a name. Almost every time I've had
> ssh hang at login it's been a DNS issue.

Is this likely? With NAT turned on the NAT client would be able to quickly
resolve that the private address does not have a dns name. Also both the
NAT client (which is the box I am trying to connect to) and the NAT server
have this line in their nsswitch.conf:
hosts:  files dns

And they have entries in their hosts file for each other.

Any advise on how to diagnose this further would be very helpful. Thanks
for the suggestions.

E

--
Erik Hovland
Member of Technical Staff, Interferometer Section - 383
Work Phone:    (818) 354-1994
Pager:         (800) 759-8888 PIN:1251444 or 1251444@skymail.com
E-mail:        ehovland@huey.jpl.nasa.gov

I speak for myself not JPL.

[prev in list] [next in list] [prev in thread] [next in thread]