> -----Original Message-----
> From: Jon Earle [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 26 January 2000 7:39 AM
> To: [EMAIL PROTECTED]
> Subject: SSH and Telnet
>
>
> Hello!
>
> I've configured our firewalls (FW-1 4.1 eval box, plus a
> production BSD box
> running FWTK in parallel) to allow outbound telnet and ssh. Outbound
> telnet works fine. SSH however, does not work (and I've
> tried it on the
> standard ssh port, plus my reassigned ssh port). The port is
> allowed in
> the FW-1 rules, and the log indicates that the traffic is
> permitted. The
> problem is, that the request ends up going nowhere, with the very next
> packet in the log being a rejected incoming icmp type 6 reply
> directed at
> the FW-1 external interface. Origin of this packet is (I
> think) a router
> further upstream.
That's weird. I guess you've already checked and found out that ICMP type 6
is "Alternate Host Address". Maybe, like me, you've also trudged through all
the ICMP RFCs and found no references for this type except [JBP] (Thanks,
Jon).
[Aside - someone out there probably knows what type 6 was _going_ to be.
Anyone care to satisfy my curiosity?]
Are you sure that it wasn't ICMP (TYPE) 3 / (CODE) 6 - Destination Network
Unknown? That makes a lot more sense...
>
> Now, I mentioned that telnet works. I can telnet from behind
> both of our
> firewalls to my Linux box. A freind has SSH on his box
> configured on port
> 23, and from my box, I can telnet to his, port 23 and get the
> initial SSH
> message. However, from behind our firewalls, I cannot telnet
> to his box,
> port 23.
This isn't a fair test. You're missing a logical step. You've tested:
1. Inside telnet to your box, telnet
2. Your box, telnet, friend's box telnet
3. Your box, SSH, friend's box, SSH
You've not proved connectivity from inside your network to your friend's
box. A real test would be to install SSH on _your_ box, verify that it
accepts connections from your friend's box, and THEN test SSH from inside
your network to your box (since telnet is already verified). That will also
give you access to better logs.
I know it's a long shot, but rigorously following a provable step-by-step
approach has saved me lots of time in the past.
>
> What could be going on here? If telnet works, should I not be able to
> telnet to the remote SSH server on port 23 and at least get
> the initial
> message?
Yes, you should. Assuming by "initial message" you mean getting your
connection rejected by the SSH daemon.
>
> Cheers!
> Jon
G'luck!
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
