On Fri, May 04, 2007 at 08:00:06AM +0200, Tang Tse wrote:
> Hi again,
>
> I follow with my own fight with PF. ( sorry to send other mail, but i can't
> really fix this ).
>
> If I reduce pf.conf to the following rules:
> block in all
> pass in on $int_if proto {tcp,udp] from any to any port 22 keep state
>
> I can connect to ssh, but it takes at least on minute to ask me the user and
> pass.
>
> If i change it to block in on $ext_if all, then i can connect with the
> normal speed.
so there's a question begging here - what _other_ traffic is being blocked by
block in all that is allowed through by the other option?
hint: think about running sshd in debug to see what takes so long.
or use pf block in log all (or whatever the appropriate syntax is) to see what
is
dropped.
my guess is that your resolver is not accessible for some reason in the slow
case
and ssh is timing out on the reverse lookup for the client connection.
a+
scorch
