From owner-freebsd-questions Fri Aug 30 8: 7: 9 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D39337B400 for ; Fri, 30 Aug 2002 08:07:03 -0700 (PDT) Received: from hivemind.trini0.org (bgp626680bgs.brick201.nj.comcast.net [68.39.132.244]) by mx1.FreeBSD.org (Postfix) with SMTP id 400F043E65 for ; Fri, 30 Aug 2002 08:07:02 -0700 (PDT) (envelope-from gsam@trini0.org) Received: (qmail 4455 invoked by uid 0); 30 Aug 2002 15:07:01 -0000 Received: from unknown (HELO trini0.org) (192.168.0.3) by hivemind.trini0.org with SMTP; 30 Aug 2002 15:07:01 -0000 Message-ID: <3D6F8A15.7080306@trini0.org> Date: Fri, 30 Aug 2002 11:07:01 -0400 From: Gerard Samuel User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020829 X-Accept-Language: en, en-us MIME-Version: 1.0 To: Gerard Samuel Cc: Linh Pham , FreeBSD Questions , jpmichel@jcontinuum.ca, john.m.mills@alum.mit.edu Subject: Re: SSH, Sessions, Connections from the outside. References: <20020829093935.W11590-100000@q.closedsrc.org> <3D6E59A6.1020106@trini0.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Joke of the day. I finally was able to get an account at a friend's box, and I ssh back to my box using my personal account. I ended up on my all purpose server instead of my firewall box inside the lan. The reason why no one was able to login was that the user 'developer' doesn't exist on the all purpose server but on the firewall box. A few weeks ago, I was setting up CVS on this all purpose box, and redirected all port 22 traffic from the firewall to this box. So that solves my little mystery. Thanks for your help and let me get to work to do some reconfiguring..... :) Gerard Samuel wrote: > Im using ipfilter. > I do have ICMP traffic blocked. I believe from the logs that > 198.107.27.228 was you pinging me. > But I haven't changed the ruleset in months. Can't see why that is > the problem, because > all the people who are trying to connect to the box, get the login > prompt, but after they enter the user/pass > they get a session pasword box to enter a session password. Something > I don't get from inside the lan. > My IP is 68.39.132.244. As far as the firewall is concerned. Port 22 > is open. Here is my ruleset -> > > # ed0 is the external interface, IP w,x,y,z > # fxp0 is the internal interface, IP 192.168.0.1 > > # default policy > block in log from any to any > block out log from any to any > > # loopback interface > pass in quick on lo0 from any to any > pass out quick on lo0 from any to any > > # allow traffic to flow freely within internal network > pass in on fxp0 from 192.168.0.0/16 to any > pass out on fxp0 from any to 192.168.0.0/16 > > # allow ssh connections > pass in quick proto tcp from any to any port = 22 flags S keep state > keep frags > > # allow all outbound connections, initiated by me > pass out on ed0 proto tcp from any to any flags S keep state keep frags > pass out on ed0 proto icmp from any to any keep state > pass out on ed0 proto udp from any to any keep state > > # allow ISP dhcp server to touch my box > pass in on ed0 proto udp from 10.109.104.1/32 to any port = 68 > > # Pass in www traffic > pass in on ed0 proto tcp from any to 192.168.0.2 port = 80 flags S > keep state keep frags > > # Pass in mail traffic > pass in quick on ed0 proto tcp from any to 192.168.0.2 port = 25 flags > S keep state keep frags > > Thanks > > Linh Pham wrote: > >> On 2002-08-29, Gerard Samuel scribbled: >> >> # Hey all. I used to have people connect to my firewall box using a >> # windows prog called WinSCP. >> # I guess with the recent changes with ssh/scp family they are unable to >> # connect to it. >> # They keep getting an option to enter a session password. >> >> [snip] >> >> # If you don't mind, and if you have access to WinSCP or something >> # similar, can you try connecting to -> >> # www.trini0.org:22 >> # username/pass: developer/awol >> # >> # to help me figure out what I need to do to resolve my problem. >> >> I am unable to ping the machine nor am I able to get a port scan on the >> machine. Is your firewall ruleset set to deny all incoming traffic? Make >> suire that you allow the necessary ports and possibly ICMP traffic >> through. Just to confirm that the hostname points to the right IP >> address, trini0.org and www.trini0.org are resolving to 68.39.132.244. >> >> Which firewall program (ipfw/ipfilter, pf, etc.) are you using? Thanks. >> >> -- >> >> Linh Pham lplist@closedsrc.org >> Webmaster and FreeBSD Geek http://closedsrc.org >> closedsrc.org Every solution breeds new problems >> >> >> >> >> > -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message