[Leaf-user] SCP _through_ Bering firewall disk problem
I'm having trouble getting scp to work through a Bering firewall (it hangs). I have no trouble whatsoever with ssh. I have only tried to scp things from the outside into a machine in the dmz, and from the internal network into the dmz. No other incoming connections are allowed. I tried removing the ssh entries for TOS, but that did not seem to fix things. A friend had it work once with no problems from freeshell.org. But it now seems broken. I have used scp a lot before with no problems (but not with Bering). So far I have tried it from Debian Testing and OpenSSH on Solaris 8. My Bering firewall is configured to allow everything out from the internal network (both external network, and into dmz). Allow one port (tcp 1966) into the dmz from the Internet to port 22 on a machine inside. The outside network and the dmz are not allowed into the internal network. The dmz is allowed out. Does anyone else have these problems, or am I missing something? Rick ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
> I'm having trouble getting scp to work through a Bering firewall (it > hangs). Which version are you using ? Where did you get it from ? Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
Uh, sorry about that, I was trying really hard to have everything in the email. This is from the readme file: LEAF "Bering" Firewall - V1.0-rc1 Jacques Nilo <[EMAIL PROTECTED]> On Fri, 12 Apr 2002, Jacques Nilo wrote: Eric Wolzak <[EMAIL PROTECTED]> Instruction & user's guide at:> On Fri, 12 Apr 2002, Jacques Nilo wrote: > > I'm having trouble getting scp to work through a Bering firewall (it > > hangs). > Which version are you using ? Where did you get it from ? > Jacques > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
> Uh, sorry about that, I was trying really hard to have everything in the > email. > > This is from the readme file: > > LEAF "Bering" Firewall - V1.0-rc1 Jacques Nilo <[EMAIL PROTECTED]> > On Fri, 12 Apr 2002, Jacques Nilo wrote: Eric Wolzak <[EMAIL PROTECTED]> > Instruction & user's guide at:> No I mean where did you get the scp package from ? Also are you using from with the firewall or not ? Also do you have ssh installed (scp is a wrapper program to ssh) ? If so is your ssh version the same as you scp version ? Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
I'm not using scp or ssh *into* the firewall, I just want to get through it from the outside to the inside so to speak. So I don't have any scp or ssh installed on the firewall. My ssh on my pc(s) would be the latest Debian Testing version from about a week ago. It's OpenSSH_3.0.2p1. On solaris it's, OpenSSH_3.0.2p1 from Sunfreeware.com The target machine runs Debian testing, ssh version as above. SSH works just fine through the firewall. I would pretty much have to assume my scp version is the same as the ssh version because I always install it as a package. One way I try to use it is to scp from my work Solaris machine to my machine in the dmz. I've tried it with scp from Cygwin on my work NT2000 machine and it's also broken. The other way is to scp from my internal (home) debian or Solaris machine and it is broken as well. SSH works just fine in these situations. I have not tried to scp out from inside the firewall (except from internal to dmz) because I have nowhere to copy to until I can get into work from home. I did a verbose on scp and it does not come up with any errors. I noticed a message on the net about TOS not properly dealing with a checksum in < 2.4.2 kernels, and so I removed the TOS entries for SSH but that didn't seem to make a difference. Please switch to my other email for the weekend [EMAIL PROTECTED], I'm leaving work soon and I can't access my work email from home. (work firewall issues). Rick On Fri, 12 Apr 2002, Jacques Nilo wrote: > > Uh, sorry about that, I was trying really hard to have everything in the > > email. > > > > This is from the readme file: > > > > LEAF "Bering" Firewall - V1.0-rc1 Jacques Nilo <[EMAIL PROTECTED]> > > On Fri, 12 Apr 2002, Jacques Nilo wrote: Eric Wolzak <[EMAIL PROTECTED]> > > Instruction & user's guide at:> > > No I mean where did you get the scp package from ? > Also are you using from with the firewall or not ? > Also do you have ssh installed (scp is a wrapper program to ssh) ? > If so is your ssh version the same as you scp version ? > > Jacques > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
On Fri, 12 Apr 2002, Rick Price wrote: > I'm having trouble getting scp to work through a Bering firewall (it > hangs). > > I have no trouble whatsoever with ssh. > > I have only tried to scp things from the outside into a machine in the > dmz, and from the internal network into the dmz. No other incoming > connections are allowed. > > I tried removing the ssh entries for TOS, but that did not seem to fix > things. > > A friend had it work once with no problems from freeshell.org. But it now > seems broken. > > I have used scp a lot before with no problems (but not with Bering). So > far I have tried it from Debian Testing and OpenSSH on Solaris 8. > > My Bering firewall is configured to allow everything out from the internal > network (both external network, and into dmz). > > Allow one port (tcp 1966) into the dmz from the Internet to port 22 on a > machine inside. > > The outside network and the dmz are not allowed into the internal network. > > The dmz is allowed out. > > Does anyone else have these problems, or am I missing something? I don't use scp from outside a firewall... but scp passes through a single ssh tunnel, so if ssh works, the networking portion of scp should work, and Bering should have absolutely nothing to do with it. I would review the names for your hosts... each endpoint should be able to identify the other. To eliminate name resolution from the picture for troubleshooting, use ip addresses in your file-specifications. Also, confirm that scp is installed and working on each end. Try ssh'ing to the other end, and scp'ing from there. Also try the -v option. --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
Rick -- I read theough all 3 messages you posted, and from what you write there, scp *should* work. Whatever the problem, I'd doubtful that it related to Bering, since to it, there is no visible difference between an ssh and an scp connection going through it. So ... I noticed that the one thing missing from your reports is a description of what the actual failures looked like. What errors does scp report at the originating end? Ar ethe errors different on the Sun-Sid system and on the Win2K-CygWin system? Are there any relevant entries in the Bering-dmz system's logs? Also ... what sort of authentication are ssh and scp using on the dmz system? I'm used to using it (and scp) with userid/password authentication. If your Bering-dmz system uses, say, RSA authentication, there may be scp issues I'm not thinking of. (What issues? Beats me; if I knew, it wouldn't be something I'm not thinking of.) Third, just to be clear ... the successful ssh connections to the Bering-dmz Debian-Sid system from the Sun-Sid system and the unsuccessful scp connections between them do use the same userid, right? Same question for connections from the CygWin system. And the scp connections don't involve directories/files where there might be permissions problems with reading or writing (whichever way you are testing)? At 10:14 PM 4/14/02 -0700, Jeff Newmiller wrote: >On Fri, 12 Apr 2002, Rick Price wrote: > >> I'm having trouble getting scp to work through a Bering firewall (it >> hangs). >> >> I have no trouble whatsoever with ssh. >> >> I have only tried to scp things from the outside into a machine in the >> dmz, and from the internal network into the dmz. No other incoming >> connections are allowed. >> >> I tried removing the ssh entries for TOS, but that did not seem to fix >> things. >> >> A friend had it work once with no problems from freeshell.org. But it now >> seems broken. >> >> I have used scp a lot before with no problems (but not with Bering). So >> far I have tried it from Debian Testing and OpenSSH on Solaris 8. >> >> My Bering firewall is configured to allow everything out from the internal >> network (both external network, and into dmz). >> >> Allow one port (tcp 1966) into the dmz from the Internet to port 22 on a >> machine inside. >> >> The outside network and the dmz are not allowed into the internal network. >> >> The dmz is allowed out. >> >> Does anyone else have these problems, or am I missing something? > >I don't use scp from outside a firewall... but scp passes through a single >ssh tunnel, so if ssh works, the networking portion of scp should work, >and Bering should have absolutely nothing to do with it. > >I would review the names for your hosts... each endpoint should be able to >identify the other. To eliminate name resolution from the picture for >troubleshooting, use ip addresses in your file-specifications. > >Also, confirm that scp is installed and working on each end. Try ssh'ing >to the other end, and scp'ing from there. Also try the -v option. > >--- >Jeff NewmillerThe . . Go Live... >DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... > Live: OO#.. Dead: OO#.. Playing >Research Engineer (Solar/BatteriesO.O#. #.O#. with >/Software/Embedded Controllers) .OO#. .OO#. rocks...2k >--- > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user > -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
I use password authentication. Everything is the same except that I use scp instead of ssh. scp just hangs, I used the -v option and it gave me no errors. I've had essentially the same problem across all the systems. I didn't let it sit there that long, so I didn't wait long enough for timeout errors. I think there is actually one difference between ssh and scp, scp sets the TOS flag differently (or so I have read). Bering seems to let you set TOS flags based on where the traffic is going, I did disable the flags for SSH, but to no avail. I've read that there was a bug in kernels less that 2.4.2 where scp was derailed by the TOS code not properly computing a checksum when it changed the TOS type of packets going through. But I have not checked to see what kernel Bering uses. I've done scp lots of times through firewalls before and so I find it really puzzling. I just put a DNS server in the DMZ, so maybe I will give it another spin. Rick On Mon, 15 Apr 2002, Ray Olszewski wrote: > Rick -- I read theough all 3 messages you posted, and from what you write > there, scp *should* work. Whatever the problem, I'd doubtful that it related > to Bering, since to it, there is no visible difference between an ssh and an > scp connection going through it. So ... > > I noticed that the one thing missing from your reports is a description of > what the actual failures looked like. What errors does scp report at the > originating end? Ar ethe errors different on the Sun-Sid system and on the > Win2K-CygWin system? Are there any relevant entries in the Bering-dmz > system's logs? > > Also ... what sort of authentication are ssh and scp using on the dmz > system? I'm used to using it (and scp) with userid/password authentication. > If your Bering-dmz system uses, say, RSA authentication, there may be scp > issues I'm not thinking of. (What issues? Beats me; if I knew, it wouldn't > be something I'm not thinking of.) > > Third, just to be clear ... the successful ssh connections to the Bering-dmz > Debian-Sid system from the Sun-Sid system and the unsuccessful scp > connections between them do use the same userid, right? Same question for > connections from the CygWin system. And the scp connections don't involve > directories/files where there might be permissions problems with reading or > writing (whichever way you are testing)? > > > At 10:14 PM 4/14/02 -0700, Jeff Newmiller wrote: > >On Fri, 12 Apr 2002, Rick Price wrote: > > > >> I'm having trouble getting scp to work through a Bering firewall (it > >> hangs). > >> > >> I have no trouble whatsoever with ssh. > >> > >> I have only tried to scp things from the outside into a machine in the > >> dmz, and from the internal network into the dmz. No other incoming > >> connections are allowed. > >> > >> I tried removing the ssh entries for TOS, but that did not seem to fix > >> things. > >> > >> A friend had it work once with no problems from freeshell.org. But it now > >> seems broken. > >> > >> I have used scp a lot before with no problems (but not with Bering). So > >> far I have tried it from Debian Testing and OpenSSH on Solaris 8. > >> > >> My Bering firewall is configured to allow everything out from the internal > >> network (both external network, and into dmz). > >> > >> Allow one port (tcp 1966) into the dmz from the Internet to port 22 on a > >> machine inside. > >> > >> The outside network and the dmz are not allowed into the internal network. > >> > >> The dmz is allowed out. > >> > >> Does anyone else have these problems, or am I missing something? > > > >I don't use scp from outside a firewall... but scp passes through a single > >ssh tunnel, so if ssh works, the networking portion of scp should work, > >and Bering should have absolutely nothing to do with it. > > > >I would review the names for your hosts... each endpoint should be able to > >identify the other. To eliminate name resolution from the picture for > >troubleshooting, use ip addresses in your file-specifications. > > > >Also, confirm that scp is installed and working on each end. Try ssh'ing > >to the other end, and scp'ing from there. Also try the -v option. > > > >--- > >Jeff NewmillerThe . . Go Live... > >DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... > > Live: OO#.. Dead: OO#.. Playing > >Research Engineer (Solar/BatteriesO.O#. #.O#. with > >/Software/Embedded Controllers) .OO#. .OO#. rocks...2k > >--- > > > > > >___ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > -- > "Never tell me the odds!"--- > Ray Olszewski
Re: [Leaf-user] SCP _through_ Bering firewall disk problem
On Mon, 15 Apr 2002, Rick Price wrote: > > I've done scp lots of times through firewalls before and so I find it > really puzzling. > I use scp through a Shorewall firewall all the time as well with no problems (kernels 2.4.2 through 2.4.18) with the default Shorewall TOS settings. You may have to use tcpdump to see what's going on in your setup. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
