Re: ipfwadm / ipchains: can't enable ssh !
# forward ssh connections to outside hosts
Michael Agbaglo <byteshifter@cadac.de> writes:
> It's ok to leave it on port 22... but when I enabled port 22 it still
> doesn't work. Theoretically port 22 should be used on remote host and
> port>1023 is used at local host. I set up the firewall with no limits to
> outgoing packets, incoming packets are allowed when port > 1023 and ACK
> is set.
> I'm sitting *at* the firewall and can telnet to x.x.x.x (stands for hosts
> outside the firewall but not the firewall itself) but I can't ssh to
> x.x.x.x
> I'm NOT talking about forwarding from a client through the firewall.
> If port 22 is enabled on firewall I can't even telnet on the firewall
> host - what's this ?
> When I "telnet [remote host] 22" I get an ssh prompt - so something must
> be filtered out on it's way back.
I am not sure if I had correctly understood. I still
believe that your problem consist in the fact that telnet
and ssh work on different ports.
this should enable ssh and telnet from (i.e. sitting *at*) your
firewall. (this of course is not the best filtering policy,
it should serve only as example)
EIF="external-interface-ip"
### allow outgoing ssh connections
ipfwadm -O -a accept -P tcp -S $EIF 0:1023 -D any/0 22
ipfwadm -I -a accept -P tcp -k -S any/0 22 -D $EIF 0:1023
### allow outgoing telnet connections
ipfwadm -O -a accept -P tcp -S $EIF 1024:65535 -D any/0 20
ipfwadm -I -a accept -P tcp -k -S any/0 20 -D $EIF 1024:65535
hope this works
marco
Reply to: