Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Firewalls can create slow SSH logins UNIX
This hint is sort of an anti-hint. Panther and Tiger (client) have a simplified built in firewall that only filters TCP packets, but not UDP packets. If you modify your firewall to filter UDP packets, too, and you do it wrong, you may well break some services. No surprises there!

What is a surprise is that if you reject UDP packets for SSH, it still works, but the login process slows down massivley; taking perhaps 15 seconds. Apparently while SSH uses TCP for its primary business, some of the alternative automatic authentication steps like DSA-keys try using UDP, and you have to wait for them to time out before it just simply asks for your password. It's a really subtle error, so maybe it's worth a hint.

If you want to do see this in action, first enable remote login, turn on your firewall, and in a Terminal window, type the following:
sudo ipfw add 4943 deny udp from any to any in
Then go to another (modern) machine and try to login to the Mac using ssh.

WARNING: If you simply delete the firewall rule, the Mac will behave normally, except that it will not allow you to use the GUI firewall tool in system preferences until you reboot. Rebooting also deletes the above rule as well, so you don't actually have to delete it yourself. But if you should want to delete it by hand without rebooting, just type this in the Terminal:
sudo ipfw delete 4943
[robg adds: I haven't tested this apparent slowdown ... this previous hint covered another SSH slowdown and fix.]
    •    
  • Currently 1.25 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (4 votes cast)
 
[10,777 views]  

Firewalls can create slow SSH logins | 5 comments | Create New Account
Click here to return to the 'Firewalls can create slow SSH logins' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
which port?
Authored by: nick on Aug 24, '05 12:35:25PM

my ssh login is awfully slow... i forwarded port 22 tcp on my fritzbox to my cube. i tried to forward port 22 udp as well but it didn't make any difference. it's still about 12 seconds. whats that other 4xxx port you block in your description? don't the auth-thingies use port 22 for the udp stuff?



[ Reply to This | # ]
Firewalls can create slow SSH logins
Authored by: YoGi on Aug 24, '05 04:15:56PM

I guess with this ipfw rule you block also dns traffic, which normally uses udp. While ssh is trying to resolve the remote hostname during login you have to wait for the timeout.



[ Reply to This | # ]
Firewalls can create slow SSH logins
Authored by: simes on Aug 24, '05 07:32:58PM

I should probably note that ssh only uses TCP - it doesn't use UDP at all. That firewall rule you've put in place will stop DNS based name resolution from happening as that is done on port 53 over UDP. Its not just ssh which will be affected - anything which needs to use DNS to look up a name will fail.

The rule you've got will also only block inbound UDP packets so what is happening is that the DNS request is going out fine, but the reply is being blocked.

A better set of rules to use is something like the following:

sudo ipfw add 4941 allow udp from any to any 53 out keep-state
sudo ipfw add 4943 deny udp from any to any in

I've not tested the above though so whilst it should work, use with caution.



[ Reply to This | # ]
No this has nothing to do with DNS
Authored by: SOX on Aug 24, '05 10:26:34PM

Clarification:
No this has nothing to do with blocking port 53, DNS

If you execute the above command it will go into the firewall after the allow for UDP to DNS. that's what the high rule number does.



[ Reply to This | # ]
Explanation not possible
Authored by: kholburn on Aug 25, '05 07:41:51AM

If you are behind an external firewall or router then it is extremely unlikely to impossible that any udp packets would get to you, software firewall or not.



[ Reply to This | # ]