Help! ipfw causing SLOW sshd?

I am running FreeBSD 4.5-release-p5, and openssh 3.4_2 installed via ports tree

I just setup apache, and then DNS, I then firewall the box with ipfw; under my current rules everything “works” the only problem is that since the firewall went on login time over sshd has become incredibly slow:

Initial login prompt is very slow.
Denial of a wrong passwd is fast.
Access from a correct passwd is slow again.
Once I do get a command prompt speed is normal.

netstat is also very slow in returning any output.
w returning its output is slower than normal.


the machine has two ip address on the same interface(rl0), the idea in the rules is to have sshd,httpd,email,dns on the primary ip while only dns on the secondary ip. sshd and httpd are bound to primary ip from their config files, and email is not running yet.

Here are my current ipfw rules as they appear /etc/rc.firewall:

### Allow any ssh traffic to primary ip ###
${fwcmd} add pass tcp from any to ${pip} 22 setup

### Allow TCP through if setup succeeded ###
${fwcmd} add pass tcp from any to any established

### Allow IP fragments to pass through ###
${fwcmd} add pass all from any to any frag

### Allow http traffic to primary ip ###
${fwcmd} add pass tcp from any to ${pip} 80 setup

### Allow setup of incoming email to primary ip ###
${fwcmd} add pass tcp from any to ${pip} 25 setup

### Allow incoming DNS quesies to all addresses ###
${fwcmd} add pass udp from any to any 53

### Allow setup of outgoing connections only ###
${fwcmd} add pass tcp from me to any setup
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass icmp from me to any keep-state


here they are again as the display from ipfw show:

00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 2 108 allow tcp from any to 12.158.191.94 22 setup
00500 855 66249 allow tcp from any to any established
00600 0 0 allow ip from any to any frag
00700 1 48 allow tcp from any to 12.158.191.94 80 setup
00800 0 0 allow tcp from any to 12.158.191.94 25 setup
00900 25 1850 allow udp from any to any 53
01000 0 0 allow tcp from me to any setup
01100 0 0 allow udp from me to any keep-state
01200 0 0 allow icmp from me to any keep-state
65535 216 26717 deny ip from any to any


sysctl.conf entries:

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.ttl=68

thanks
-jon door

1) How do you know it must be the firewall problem?
2) How about FTP? Apache?
3) Zip and attach your /etc/ssh/ssh_config, /etc/ssh/sshd_config, /etc/hosts.allow, /etc/resolv.conf and /etc/hosts here.

It turned out to be a problem with name resolution.

i tweaked my rules to make port 53 statefull:
${fwcmd} add pass udp from any to any 53 keep-state

it seems to be all smoothed out now.

thanks
-Jon Door