Re: Cant login using ssh; no password prompt
Hi ben! Thank you for oyur answer. The resolv.conf file have this line: nameserver 192.168.1.1 At this address there is an OpenBSD 3.7 firewall which running a cache DNS from my provider. When I was using olders versions of ssh from the local network I had to wait more to the password prompt until I've configured the /etc/hosts file in the new box. Bun never happened a situation like this one. Thank you for all, Mauro On 11/18/05, Ben Pratt <[EMAIL PROTECTED]> wrote: > I have seen this before and every time it turns out to be that DNS isn't > working on the box. Please make sure that you are able to access a DNS > server from the box by trying to ping google.com or something. > > Good luck, > > Ben > > Mauricio Brunstein wrote: > > Hi! > > > > I've installed a new box with FreeBSD 6.0 (workbench) and cant login > > to it by means of ssh from the internal or external network. The box > > is installed from the release version, and worked fine using the > > console. I also had accessed other hosts form there using ssh. I did > > not patch the box in any way, is just the 6.0 release version. I can > > not login to that box form a local OpenBSD 3.7 box, a 5.4 box (as > > shown below) or using putty 0.57 from the Internet (the putty window > > closes after some time without asking me for a password) . > > > > Anybody have and idea of what could be happening? > > > > Thank you in advance, > > Mauro > > > > Form a 5.4 Box, > > > > [EMAIL PROTECTED]:~> uname -a > > FreeBSD Server.blstar 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #0: Sun > > Oct 16 04:00:03 ART 2005 mauro@:/usr/obj/usr/src/sys/GENERIC i386 > > > > I issue the following command: > > > > [EMAIL PROTECTED]:~> ssh -vvv workbench > > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e-p1 25 Oct 2004 > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug2: ssh_connect: needpriv 0 > > debug1: Connecting to workbench.blstar [192.168.1.34] port 22. > > debug1: Connection established. > > debug1: identity file /home/mauro/.ssh/identity type -1 > > debug1: identity file /home/mauro/.ssh/id_rsa type -1 > > debug1: identity file /home/mauro/.ssh/id_dsa type -1 > > debug1: Remote protocol version 2.0, remote software version > > OpenSSH_4.2p1 FreeBSD-20050903 > > debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH* > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419 > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-dss > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL > > PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_k
Cant login using ssh; no password prompt
Hi! I've installed a new box with FreeBSD 6.0 (workbench) and cant login to it by means of ssh from the internal or external network. The box is installed from the release version, and worked fine using the console. I also had accessed other hosts form there using ssh. I did not patch the box in any way, is just the 6.0 release version. I can not login to that box form a local OpenBSD 3.7 box, a 5.4 box (as shown below) or using putty 0.57 from the Internet (the putty window closes after some time without asking me for a password) . Anybody have and idea of what could be happening? Thank you in advance, Mauro Form a 5.4 Box, [EMAIL PROTECTED]:~> uname -a FreeBSD Server.blstar 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #0: Sun Oct 16 04:00:03 ART 2005 mauro@:/usr/obj/usr/src/sys/GENERIC i386 I issue the following command: [EMAIL PROTECTED]:~> ssh -vvv workbench OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e-p1 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to workbench.blstar [192.168.1.34] port 22. debug1: Connection established. debug1: identity file /home/mauro/.ssh/identity type -1 debug1: identity file /home/mauro/.ssh/id_rsa type -1 debug1: identity file /home/mauro/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 FreeBSD-20050903 debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 536/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mauro/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'workbench.blstar' is known and matches the DSA host key. debug1: Found key in /home/mauro/.ssh/known_hosts:3 debug2: bits set: 497/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/mauro/.ssh/identity (0x0) debug2: key: /home/mauro/.ssh/id_rsa (0x0) debug2: key: /home/mauro/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: T
Re: Re[6]: Can´t access a box remotely
Hexren: Ok. From the logical point of view this is true. But when I put put router_enable="NO" in rc.conf, the internal LAN and the box cannot be reached anymore from the Internet. From the internal LAN I can do ssh to the box always regardless of this setting. Thanks anyway!! Your help was very useful. Sincerely, Mauricio. On Thu, 20 Jan 2005 00:48:18 +0100, Hexren <[EMAIL PROTECTED]> wrote: > MB> Hexren: > > MB> Also I have another question: > > MB> If you look at the handbook it states that if you use ppp, you need to > MB> put router_enable="NO" in rc.conf, because if you enable routed, it > MB> can delete the routes added by ppp. The problem is that if I put > MB> router_enable="NO" in rc.conf, i cant access my box from outside, and > MB> this time is not a dyndns related issue. I don´t have idea that what > MB> could be the cause of this situation. Does it seems familiar to you??? > > MB> Thank you for all your help!!! > > MB> Mauricio. > > - > > No it does not. > In my experience just using 'gateway_enable="yes"' is sufficient for > bringing a private LAN online. > > Hexren > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Re[4]: Can´t access a box remotely
Hexren: Also I have another question: If you look at the handbook it states that if you use ppp, you need to put router_enable="NO" in rc.conf, because if you enable routed, it can delete the routes added by ppp. The problem is that if I put router_enable="NO" in rc.conf, i cant access my box from outside, and this time is not a dyndns related issue. I don´t have idea that what could be the cause of this situation. Does it seems familiar to you??? Thank you for all your help!!! Mauricio. On Wed, 19 Jan 2005 19:29:48 -0300, Mauricio Brunstein <[EMAIL PROTECTED]> wrote: > Hexren: > > Why do you say: > > > As a quick workaround: In your ppp.conf delete the default profile and > > rename your profile default. The remove the 'ppp_profile="my_isp"' > > line from your rc.conf. > > I actually want to dial to my_isp from rc.conf. If I delete the > "default" profile, then I need to copy those 2 lines in that profile > to the "my_isp" profile? > > Than you again, > > Mauricio > > PD: This is my ppp.conf: > > server:~ $ sudo cat /etc/ppp/ppp.conf > default: > set log Phase Chat IPCP CCP tun command > set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 > > my_isp: > set device PPPoE:fxp0 # replace fxp0 with your Ethernet device > set mtu 1492 > set mru 1492 > enable mssfixup > set ctsrts off > set speed sync > disable acfcomp protocomp > deny acfcomp > set authname > set authkey y > add default HISADDR > # enable lqr > disable ipv6cp > # set lqrperiod 5 > enable dns > server:~ $ > > On Wed, 19 Jan 2005 23:02:26 +0100, Hexren <[EMAIL PROTECTED]> wrote: > > MB> Hexren: > > > > MB> The pocess of PID 212 is ppp: > > > > MB> server:~ $ ps auxw|grep 212 > > MB> root212 0.0 0.8 3240 2112 ?? Ss5:53PM 0:00.43 ppp > > MB> -ddial default > > MB> mauro 687 0.0 0.4 1472 892 p0 S+6:48PM 0:00.00 grep 212 > > MB> server:~ $ > > > > > > >> > > >> - > > >> > > >> Wild guessing here: > > >> Maybe the interface tun0 gets created when it is first called by > > >> something refering to rc.conf. (It is in there isn't it ?). When ppp > > >> the fires up it creates its own tun device, taking the next "free" > > >> name which is tun1 as tun0 already exists and ppp can't know if it is > > >> used by something else. > > >> Try removing all references to tun0 from /etc/rc.conf > > >> > > >> Keep in mind that this is only a guess. > > >> Also look at what hides behind PID 212. You can see in th output you > > >> provided that tun0 was created by that PID. > > >> > > >> Hexren > > >> > > >> > > > > - > > > > It is not the reference. > > When ppp is started it first tries to dial in using the profile named > > default. > > >"root212 ppp -ddial default" > > > > As a quick workaround: In your ppp.conf delete the default profile and > > rename your profile default. The remove the 'ppp_profile="my_isp"' > > line from your rc.conf. > > > > I am pretty shure there is a cleaner way to do this. But unfortunatly > > I am unaware of it. > > > > Hexren > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Re[4]: Can´t access a box remotely
Hexren: Why do you say: > As a quick workaround: In your ppp.conf delete the default profile and > rename your profile default. The remove the 'ppp_profile="my_isp"' > line from your rc.conf. I actually want to dial to my_isp from rc.conf. If I delete the "default" profile, then I need to copy those 2 lines in that profile to the "my_isp" profile? Than you again, Mauricio PD: This is my ppp.conf: server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 my_isp: set device PPPoE:fxp0 # replace fxp0 with your Ethernet device set mtu 1492 set mru 1492 enable mssfixup set ctsrts off set speed sync disable acfcomp protocomp deny acfcomp set authname set authkey y add default HISADDR # enable lqr disable ipv6cp # set lqrperiod 5 enable dns server:~ $ On Wed, 19 Jan 2005 23:02:26 +0100, Hexren <[EMAIL PROTECTED]> wrote: > MB> Hexren: > > MB> The pocess of PID 212 is ppp: > > MB> server:~ $ ps auxw|grep 212 > MB> root212 0.0 0.8 3240 2112 ?? Ss5:53PM 0:00.43 ppp > MB> -ddial default > MB> mauro 687 0.0 0.4 1472 892 p0 S+6:48PM 0:00.00 grep 212 > MB> server:~ $ > > > >> > >> - > >> > >> Wild guessing here: > >> Maybe the interface tun0 gets created when it is first called by > >> something refering to rc.conf. (It is in there isn't it ?). When ppp > >> the fires up it creates its own tun device, taking the next "free" > >> name which is tun1 as tun0 already exists and ppp can't know if it is > >> used by something else. > >> Try removing all references to tun0 from /etc/rc.conf > >> > >> Keep in mind that this is only a guess. > >> Also look at what hides behind PID 212. You can see in th output you > >> provided that tun0 was created by that PID. > >> > >> Hexren > >> > >> > > - > > It is not the reference. > When ppp is started it first tries to dial in using the profile named > default. > >"root212 ppp -ddial default" > > As a quick workaround: In your ppp.conf delete the default profile and > rename your profile default. The remove the 'ppp_profile="my_isp"' > line from your rc.conf. > > I am pretty shure there is a cleaner way to do this. But unfortunatly > I am unaware of it. > > Hexren > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Re[2]: Can´t access a box remotely
Hexren: The pocess of PID 212 is ppp: server:~ $ ps auxw|grep 212 root212 0.0 0.8 3240 2112 ?? Ss5:53PM 0:00.43 ppp -ddial default mauro 687 0.0 0.4 1472 892 p0 S+6:48PM 0:00.00 grep 212 server:~ $ My rc.conf has references to tun0: server:~ $ sudo cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. # ## hostname="server.estudio" netd_enable="YES" saver="dragon" scrnmap="NO" sshd_enable="YES" sshd_flags="-4 -p 222" usbd_enable="YES" network_interfaces="lo0 rl0 fxp0 tun0" #network_interfaces="lo0 rl0 fxp0" ifconfig_tun0=" " ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.0" ifconfig_fxp0="media 10baseT/UTP up" ppp_enable="YES" ppp_mode="ddial" ppp_nat="YES" ppp_profile="my_isp" router_enable="YES" gateway_enable="YES" # Set to YES if this host will be a gateway pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="-d" # additional flags for pfctl startup #pflog_enable="YES" # start pflogd(8) #pflog_logfile="/var/log/pflog" # where pflogd should store the logfile #pflog_flags="" # additional flags for pflogd startup inetd_enable="YES" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags="-wW -C 60" # Optional flags to inetd #nmbd_enable="YES" #smbd_enable="YES" #winbindd_enable="YES" named_enable="YES" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. named_flags="-u bind" # Flags for named named_pidfile="/var/run/named/pid" # Must set this in named.conf as well named_chrootdir="/var/named"# Chroot directory (or "" not to auto-chroot it) named_chroot_autoupdate="YES" # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable="YES" # Symlink the chrooted pid file server:~ $ Thank you again, Mauricio. On Wed, 19 Jan 2005 22:44:04 +0100, Hexren <[EMAIL PROTECTED]> wrote: > MB> Hexren: > > MB> Thank you for answer so quickly. I discovered that the problem is that > MB> ppp is using tun1 in place of tun0 and I am usin a dyndns deamon that > MB> is configured to update the ip address of tun0 (this is the interface > MB> that I want to use). Why ppp is using tun0??? I gess that something > MB> could be wrong in rc.conf. If I do and ssh to the ip address of tun1, > MB> I can connect normally. > > MB> Here is the output of ifconfig: > > MB> server:~ $ ifconfig > MB> rl0: flags=8843 mtu 1500 > MB> options=8 > MB> inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 > MB> inet6 fe80::208:54ff:fe1d:8be5%rl0 prefixlen 64 scopeid 0x1 > MB> ether 00:08:54:1d:8b:e5 > MB> media: Ethernet autoselect (100baseTX ) > MB> status: active > MB> fxp0: flags=8843 mtu 1500 > MB> options=8 > MB> inet6 fe80::211:11ff:fe85:efa8%fxp0 prefixlen 64 scopeid 0x2 > MB> ether 00:11:11:85:ef:a8 > MB> media: Ethernet 10baseT/UTP > MB> status: active > MB> plip0: flags=108810 mtu 1500 > MB> lo0: flags=8049 mtu 16384 > MB> inet 127.0.0.1 netmask 0xff00 > MB> inet6 ::1 prefixlen 128 > MB> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > MB> tun0: flags=8051 mtu 1500 > MB> Opened by PID 212 > MB> tun1: flags=8051 mtu 1492 > MB> inet 200.127.126.73 --> 200.32.0.42 netmask 0x > MB> Opened by PID 230 > MB> pflog0: flags=0<> mtu 33208 > > MB> Thank you for all!!! > > MB> Mauricio > > MB> On Wed, 19 Jan 2005 22:22:33 +0100, Hexren <[EMAIL PROTECTED]> wrote: > >> >Hi to all! > >> > >> >I can´t access to a box from the internet, using ssh. > >> > >> - > >> > >> Please specify your problem. > >> > >> Do you have IP connectivity ? (Do a "ping 216.136.204.117" from the > >> machine of which you are showing logs here) > >> > >> Do you have DNS (Do a "ping www.freebsd.org" ) > >> > >> Which error is given out when you try to ssh in from the internet. (try > >> ssh -v or ssh -vv) > >> > >> Hexren > >> > >> > > > - > > Wild guessing here: > Maybe the interface tun0 gets created when it is first called by > something refering to rc.conf. (It is in there isn't it ?). When ppp > the fires up it creates its own tun device, taking the next "free" > name which is tun1 as tun0 already exists and ppp can't know if it
Re: Can´t access a box remotely
Hexren: Thank you for answer so quickly. I discovered that the problem is that ppp is using tun1 in place of tun0 and I am usin a dyndns deamon that is configured to update the ip address of tun0 (this is the interface that I want to use). Why ppp is using tun0??? I gess that something could be wrong in rc.conf. If I do and ssh to the ip address of tun1, I can connect normally. Here is the output of ifconfig: server:~ $ ifconfig rl0: flags=8843 mtu 1500 options=8 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::208:54ff:fe1d:8be5%rl0 prefixlen 64 scopeid 0x1 ether 00:08:54:1d:8b:e5 media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 options=8 inet6 fe80::211:11ff:fe85:efa8%fxp0 prefixlen 64 scopeid 0x2 ether 00:11:11:85:ef:a8 media: Ethernet 10baseT/UTP status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 tun0: flags=8051 mtu 1500 Opened by PID 212 tun1: flags=8051 mtu 1492 inet 200.127.126.73 --> 200.32.0.42 netmask 0x Opened by PID 230 pflog0: flags=0<> mtu 33208 Thank you for all!!! Mauricio On Wed, 19 Jan 2005 22:22:33 +0100, Hexren <[EMAIL PROTECTED]> wrote: > >Hi to all! > > >I can´t access to a box from the internet, using ssh. > > - > > Please specify your problem. > > Do you have IP connectivity ? (Do a "ping 216.136.204.117" from the > machine of which you are showing logs here) > > Do you have DNS (Do a "ping www.freebsd.org" ) > > Which error is given out when you try to ssh in from the internet. (try > ssh -v or ssh -vv) > > Hexren > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Can´t access a box remotely
Hi to all! I can´t access to a box from the internet, using ssh. Also the box is configured as a gateway, and I can´t access the redirected ports of the computers in the internal network. Plase help! I don´t have any idea of how to resolve this problem Than you in advance, Mauricio. PD: Some additional data of interest: server:~ $ uname -a FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue Nov 23 02:13:24 ART 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICconALTQ i386 server:~ $ server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 my_isp: set device PPPoE:fxp0 # replace fxp0 with your Ethernet device set mtu 1492 set mru 1492 enable mssfixup set ctsrts off set speed sync disable acfcomp protocomp deny acfcomp set authname x set authkey yy add default HISADDR # enable lqr disable ipv6cp # set lqrperiod 5 enable dns server:~ $ server:~ $ sudo cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. hostname="server.estudio" netd_enable="YES" saver="dragon" scrnmap="NO" sshd_enable="YES" sshd_flags="-4 -p 222" usbd_enable="YES" network_interfaces="lo0 rl0 fxp0 tun0" ifconfig_tun0=" " ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.0" ifconfig_fxp0="media 10baseT/UTP up" ppp_enable="YES" ppp_mode="ddial" ppp_nat="YES" ppp_profile="my_isp" router_enable="YES" gateway_enable="YES" # Set to YES if this host will be a gateway pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="-d" # additional flags for pfctl startup #pflog_enable="YES" # start pflogd(8) #pflog_logfile="/var/log/pflog" # where pflogd should store the logfile #pflog_flags="" # additional flags for pflogd startup inetd_enable="YES" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags="-wW -C 60" # Optional flags to inetd #nmbd_enable="YES" #smbd_enable="YES" #winbindd_enable="YES" # # named. It may be possible to run named in a sandbox, man security for # details. # named_enable="YES" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. named_flags="-u bind" # Flags for named named_pidfile="/var/run/named/pid" # Must set this in named.conf as well named_chrootdir="/var/named"# Chroot directory (or "" not to auto-chroot it) named_chroot_autoupdate="YES" # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable="YES" # Symlink the chrooted pid file server:~ $ server:~ $ netstat -an|grep LISTEN tcp4 0 0 *.8021 *.*LISTEN tcp4 0 0 *.901 *.*LISTEN tcp4 0 0 *.22 *.*LISTEN tcp4 0 0 *.21 *.*LISTEN tcp4 0 0 127.0.0.1.25 *.*LISTEN tcp4 0 0 *.222 *.*LISTEN tcp6 0 0 ::1.953*.*LISTEN tcp4 0 0 127.0.0.1.953 *.*LISTEN tcp4 0 0 127.0.0.1.53 *.*LISTEN tcp4 0 0 192.168.2.1.53 *.*LISTEN server:~ $ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange behavior of ppp, pf and altq on FreeBSD 5.3
Hi! It's me again, the workaround for the first problem does not work always, only sometimes. I hope that somebody could help! Regards, Mauricio. On Mon, 13 Dec 2004 21:30:49 -0300, Mauricio Brunstein <[EMAIL PROTECTED]> wrote: > Please help! > > I am new to FreeBSD, and UNIX in general but form the beginning I'm > fascinated. I had configured a FreeBSD 5.3 machine to be the > Firewall/gateway of 8 windows PC's. The machine has 2 interfaces one > (fxp0) is connected to the ADSL modem and the another (rl0) is > connected to a switch where the windows boxes are connected too. The > first problem is that sometimes, when ppp redial to the pppoe Internet > provider, I can use Internet from the FreeBSD machine, but not from > the internal network. I had found a workaround to this problem: > > server:~ $ cat /etc/ppp/ppp.linkup > default: > ! pfctl -F all -f /etc/pf.conf && /usr/local/etc/ez-ipupdate.conf > - > Refreshing the pf rules, the nat appears to work again, after a connection > drop. > > The problem that I can't solve is the following: > > In the FreeBSD manual states that one must use router_enable="NO" in > rc.conf, to avoid routed to delete the routes added by ppp. If I do > this, I can't have access to the box from outside using ssh. > > For reference I added the content of the floowing files: > > /etc/rc.conf > /etc/start_if.tun0 > /etc/ppp/ppp.conf > /etc/pf.conf > /root/kernels/GENERICconALTQ # the kernel config file > demesg > > Thank you very much!!! > > - > server:~ $ cat /etc/rc.conf > > # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 > # Created: Sun Nov 21 13:07:41 2004 > # Enable network daemons for user convenience. > # Please make all changes to this file, not to /etc/defaults/rc.conf. > # This file now contains just the overrides from /etc/defaults/rc.conf. > > hostname="server.estudio" > ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.0" > netd_enable="YES" > saver="dragon" > scrnmap="NO" > sshd_enable="YES" > sshd_flags="-4 -p 222" > usbd_enable="YES" > network_interfaces="lo0 tun0 rl0" > ifconfig_tun0= > #router_enable="NO" > router_enable="YES" > gateway_enable="YES" # Set to YES if this host will be a gateway > pf_enable="YES" # Enable PF (load module if required) > pf_rules="/etc/pf.conf" # rules definition file for pf > pf_flags="" # additional flags for pfctl startup > #pflog_enable="YES" # start pflogd(8) > #pflog_logfile="/var/log/pflog" # where pflogd should store the logfile > #pflog_flags="" # additional flags for pflogd startup > inetd_enable="YES" # Run the network daemon dispatcher (YES/NO). > inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. > inetd_flags="-wW -C 60" # Optional flags to inetd > #nmbd_enable="YES" > #smbd_enable="YES" > #winbindd_enable="YES" > named_enable="YES" # Run named, the DNS server (or NO). > named_program="/usr/sbin/named" # path to named, if you want a different one. > named_flags="-u bind" # Flags for named > named_pidfile="/var/run/named/pid" # Must set this in named.conf as well > named_chrootdir="/var/named"# Chroot directory (or "" not to auto-chroot > it) > named_chroot_autoupdate="YES" # Automatically install/update chrooted > # components of named. See /etc/rc.d/named. > named_symlink_enable="YES" # Symlink the chrooted pid file > > --- > > server:~ $ uname -a > FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue > Nov 23 02:13:24 ART 2004 > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICconALTQ i386 > > > > server:~ $ cat /etc/start_if.tun0 > ppp -ddial default && /usr/local/etc/ez-ipupdate.conf > > --- > > server:~ $ sudo cat /etc/ppp/ppp.conf > default: > set log Phase Chat IPCP CCP tun command > # set log Phase Chat LCP IPCP CCP tun command > # nat enable yes > # nat same_ports yes > # nat use_sockets yes > set device PPPo
Re: just a couple quick pf/nat questions
> And are there any pf config generation pages out there yet? Look at this: http://www.onlamp.com/pub/a/bsd/2003/06/26/ssn_openbsd.html?page=1 Regards, Mauricio ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Extrange behavior using ppp, pf and altq on FreeBSD 5.3
Please help! I am new to FreeBSD, and UNIX in general but form the beginning I'm fascinated. I had configured a FreeBSD 5.3 machine to be the Firewall/gateway of 8 windows PC's. The machine has 2 interfaces one (fxp0) is connected to the ADSL modem and the another (rl0) is connected to a switch where the windows boxes are connected too. The first problem is that sometimes, when ppp redial to the pppoe Internet provider, I can use Internet from the FreeBSD machine, but not from the internal network. I had found a workaround to this problem: server:~ $ cat /etc/ppp/ppp.linkup default: ! pfctl -F all -f /etc/pf.conf && /usr/local/etc/ez-ipupdate.conf - Refreshing the pf rules, the nat appears to work again, after a connection drop. The problem that I can't solve is the following: In the FreeBSD manual states that one must use router_enable="NO" in rc.conf, to avoid routed to delete the routes added by ppp. If I do this, I can't have access to the box from outside using ssh. For reference I added the content of the floowing files: /etc/rc.conf /etc/start_if.tun0 /etc/ppp/ppp.conf /etc/pf.conf /root/kernels/GENERICconALTQ # the kernel config file demesg Thank you very much!!! - server:~ $ cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. hostname="server.estudio" ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.0" netd_enable="YES" saver="dragon" scrnmap="NO" sshd_enable="YES" sshd_flags="-4 -p 222" usbd_enable="YES" network_interfaces="lo0 tun0 rl0" ifconfig_tun0= #router_enable="NO" router_enable="YES" gateway_enable="YES" # Set to YES if this host will be a gateway pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup #pflog_enable="YES" # start pflogd(8) #pflog_logfile="/var/log/pflog" # where pflogd should store the logfile #pflog_flags="" # additional flags for pflogd startup inetd_enable="YES" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags="-wW -C 60" # Optional flags to inetd #nmbd_enable="YES" #smbd_enable="YES" #winbindd_enable="YES" named_enable="YES" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. named_flags="-u bind" # Flags for named named_pidfile="/var/run/named/pid" # Must set this in named.conf as well named_chrootdir="/var/named"# Chroot directory (or "" not to auto-chroot it) named_chroot_autoupdate="YES" # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable="YES" # Symlink the chrooted pid file --- server:~ $ uname -a FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue Nov 23 02:13:24 ART 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICconALTQ i386 server:~ $ cat /etc/start_if.tun0 ppp -ddial default && /usr/local/etc/ez-ipupdate.conf --- server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat IPCP CCP tun command # set log Phase Chat LCP IPCP CCP tun command # nat enable yes # nat same_ports yes # nat use_sockets yes set device PPPoE:fxp0 # replace fxp0 with your Ethernet device set mtu 1492 set mru 1492 enable mssfixup set speed sync disable acfcomp protocomp deny acfcomp set authname xx set authkey yy set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 add default HISADDR # enable lqr disable ipv6cp # set lqrperiod 25 enable dns server:~ $ cat /etc/pf.conf ## Macros NoRoute = "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }" ## Tables # Options #set optimization aggressive set debug loud # Normalization #scrub in on tun0 all random-id no-df scrub in on tun0 all # Queueing altq on tun0 priq bandwidth 100Kb queue { q_pri, q_def, q_med } queue q_pri priority 7 queue q_med priority 3 queue q_def priority 1 priq(default) ## nat # General: nat on tun0 from 192.168.2.0/24 to any -> (tun0) rdr on rl0 proto udp from any to 192.168.2.1/32 port 53 -> 200.42.0.109 port 53 # FTP y HTTP Server on the internal network: #rdr on tun0 proto tcp from any to (tun0)/32 port 21 -> 192.168.2.33 po
Can't reach to a FreeBSD 5.3 machine trough a ppp connection
Hi! I'm installing a machine that will be a firewall and a samba server for a 4 people office. The machine has 2 NICs and is connecting to the Internet using PPPoE. It is using pf and ALTQ. Initially there was problems to establish the PPPoE connection in the office, using the same ppp.conf that previously worked in my lab (only changing the username/passwd). Here is my ppp.conf file: server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command set device PPPoE:fxp0 set mtu 1492 set mru 1492 enable mssfixup set speed sync disable acfcomp protocomp deny acfcomp set authname x set authkeyx add default HISADDR enable lqr set lqrperiod 25 enable dns I got some messages in ppp.log like this one, Nov 23 15:00:35 server ppp[533]: tun0: LCP: deflink: -- Protocol 0x8057 (Internet Protocol V6 Control Pro tocol) was rejected! Nov 23 15:00:41 server ppp[533]: tun0: Phase: deflink: IPV6CP protocol reject closes IPV6CP ! After that added "disable ipv6cp", and commented out "enable lqr" and "set lqrperiod 25" and the connection didn't drop anymore. It seems that this provider doesn't support lqr. It appeared that everything was working fine, but when I tried to use ssh to login to this box from outside was not possible. After some time of issuing the ssh command, get the following error: ssh: connect to host dsuaya.ath.cx port 22: Operation timed out. After some tests, I discovered that changing router_enable to "YES" in the /etc/rc.conf solved the problem. But in the section "21.2.1.5 Final System Configuration" of the FreeBSD handbook states: "Make sure the router program set to NO with following line in your /etc/rc.conf: router_enable="NO" It is important that the routed daemon is not started (it is by default), as routed tends to delete the default routing table entries created by ppp." So, is there another manner to resolve this? Note that I'm always able to establish connections from this box to a host in the Internet but I can't establish a connection from that hosts to this one if router_enable="NO". Thanks in advance, Mauricio. Some data of interest: server:~ $ uname -a FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue Nov 23 02:13:24 ART 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICWALTQ i386 server:~ $ server:~ $ cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. # hostname="server.estudio" ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.0" netd_enable="YES" saver="dragon" scrnmap="NO" sshd_enable="YES" sshd_flags="-4 -p 22" usbd_enable="YES" network_interfaces="lo0 tun0 rl0" fconfig_tun0= router_enable="YES"# remember to disable this! #router_enable="NO" # Set to YES to enable a routing daemon. router="/sbin/routed" # Name of routing daemon to use if enabled. router_flags="-q" # Flags for routing daemon. gateway_enable="YES" # Set to YES if this host will be a gateway pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup #pflog_enable="YES" # start pflogd(8) #pflog_logfile="/var/log/pflog" # where pflogd should store the logfile #pflog_flags="" # additional flags for pflogd startup inetd_enable="YES" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags="-wW -C 60" # Optional flags to inetd server:~ $ server:~ $ cat /etc/start_if.tun0 ppp -ddial default; /usr/local/etc/ez-ipupdate.conf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"