Re: ipfwadm / ipchains: can't enable ssh !

[Marco Maggesi <maggesi@math.unifi.it>]

  # forward ssh connections to outside hosts

Michael Agbaglo <byteshifter@cadac.de> writes:

> It's ok to leave it on port 22... but when I enabled port 22 it still
> doesn't work. Theoretically port 22 should be used on remote host and
> port>1023 is used at local host. I set up the firewall with no limits to
> outgoing packets,  incoming packets are allowed when port > 1023 and ACK
> is set.
> I'm sitting *at* the firewall and can telnet to x.x.x.x (stands for hosts
> outside the firewall but not the firewall itself) but I can't ssh to
> x.x.x.x
> I'm NOT talking about forwarding from a client through the firewall.
> If port 22 is enabled on firewall I can't even telnet on the firewall
> host - what's this ?
> When I "telnet [remote host] 22" I get an ssh prompt - so something must
> be filtered out on it's way back.

I am not sure if I had correctly understood.  I still
believe that your problem consist in the fact that telnet
and ssh work on different ports.

this should enable ssh and telnet from (i.e. sitting *at*) your
firewall.  (this of course is not the best filtering policy,
it should serve only as example)

  EIF="external-interface-ip"

  ### allow outgoing ssh connections
  ipfwadm -O -a accept -P tcp    -S $EIF  0:1023 -D any/0 22
  ipfwadm -I -a accept -P tcp -k -S any/0 22     -D $EIF  0:1023

  ### allow outgoing telnet connections
  ipfwadm -O -a accept -P tcp    -S $EIF  1024:65535  -D any/0 20
  ipfwadm -I -a accept -P tcp -k -S any/0 20          -D $EIF  1024:65535


hope this works
marco