Subject: Re: IPF and ssh
To: None <current-users@NetBSD.org>
From: Rob Quinn <rquinn@sec.sprint.net>
List: current-users
Date: 11/17/2003 12:13:37
> From: Mark Nelson <mn@tardis.cx>
This address doesn't work.
> I have a ipf based firewall
I think you have some routing issues, either on your client or your firewall.
Does your client have multiple interfaces too?
> pass in quick on ex0 proto tcp from any to 10.119.6.226 port = ssh
> flags S/SA keep state
Enable logging on this line.
> However when I try to connect to the machine
I assume you're connecting from 10.32.160.78 which is on the ex0 interface?
> the connection is blocked
> and I get the following line in the firewall log.
> 17/11/2003 15:44:18.943806 ex2 @0:19 b 10.169.6.226,22 ->
> 10.32.160.78,34502 PR tcp len 20 552 -A IN
How did ex2 get in there? Is 10.32.160.78 on ex0 or ex2, and does the
firewall's routing table agree? On the firewall type 'route -n get
10.32.160.78' to check the outgoing interface.
> The ssh daemon seams to want to open a connection back to the source machine
> on port 34502.
Your log shows it's an ACK packet, not a SYN (new connection). I bet if you
run 'netstat -anf inet' on the ssh client machine you'll see a partially
established connection with a source port of 34502.