From owner-freebsd-questions Thu Aug 29 10:28:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D0CD37B400 for ; Thu, 29 Aug 2002 10:28:07 -0700 (PDT) Received: from hivemind.trini0.org (bgp626680bgs.brick201.nj.comcast.net [68.39.132.244]) by mx1.FreeBSD.org (Postfix) with SMTP id DFF8D43E42 for ; Thu, 29 Aug 2002 10:28:06 -0700 (PDT) (envelope-from gsam@trini0.org) Received: (qmail 2815 invoked by uid 0); 29 Aug 2002 17:28:06 -0000 Received: from unknown (HELO trini0.org) (192.168.0.3) by hivemind.trini0.org with SMTP; 29 Aug 2002 17:28:06 -0000 Message-ID: <3D6E59A6.1020106@trini0.org> Date: Thu, 29 Aug 2002 13:28:06 -0400 From: Gerard Samuel User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020829 X-Accept-Language: en, en-us MIME-Version: 1.0 To: Linh Pham Cc: FreeBSD Questions Subject: Re: SSH, Sessions, Connections from the outside. References: <20020829093935.W11590-100000@q.closedsrc.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Im using ipfilter. I do have ICMP traffic blocked. I believe from the logs that 198.107.27.228 was you pinging me. But I haven't changed the ruleset in months. Can't see why that is the problem, because all the people who are trying to connect to the box, get the login prompt, but after they enter the user/pass they get a session pasword box to enter a session password. Something I don't get from inside the lan. My IP is 68.39.132.244. As far as the firewall is concerned. Port 22 is open. Here is my ruleset -> # ed0 is the external interface, IP w,x,y,z # fxp0 is the internal interface, IP 192.168.0.1 # default policy block in log from any to any block out log from any to any # loopback interface pass in quick on lo0 from any to any pass out quick on lo0 from any to any # allow traffic to flow freely within internal network pass in on fxp0 from 192.168.0.0/16 to any pass out on fxp0 from any to 192.168.0.0/16 # allow ssh connections pass in quick proto tcp from any to any port = 22 flags S keep state keep frags # allow all outbound connections, initiated by me pass out on ed0 proto tcp from any to any flags S keep state keep frags pass out on ed0 proto icmp from any to any keep state pass out on ed0 proto udp from any to any keep state # allow ISP dhcp server to touch my box pass in on ed0 proto udp from 10.109.104.1/32 to any port = 68 # Pass in www traffic pass in on ed0 proto tcp from any to 192.168.0.2 port = 80 flags S keep state keep frags # Pass in mail traffic pass in quick on ed0 proto tcp from any to 192.168.0.2 port = 25 flags S keep state keep frags Thanks Linh Pham wrote: >On 2002-08-29, Gerard Samuel scribbled: > ># Hey all. I used to have people connect to my firewall box using a ># windows prog called WinSCP. ># I guess with the recent changes with ssh/scp family they are unable to ># connect to it. ># They keep getting an option to enter a session password. > >[snip] > ># If you don't mind, and if you have access to WinSCP or something ># similar, can you try connecting to -> ># www.trini0.org:22 ># username/pass: developer/awol ># ># to help me figure out what I need to do to resolve my problem. > >I am unable to ping the machine nor am I able to get a port scan on the >machine. Is your firewall ruleset set to deny all incoming traffic? Make >suire that you allow the necessary ports and possibly ICMP traffic >through. Just to confirm that the hostname points to the right IP >address, trini0.org and www.trini0.org are resolving to 68.39.132.244. > >Which firewall program (ipfw/ipfilter, pf, etc.) are you using? Thanks. > >-- > >Linh Pham lplist@closedsrc.org >Webmaster and FreeBSD Geek http://closedsrc.org >closedsrc.org Every solution breeds new problems > > > > > -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message