I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands. Looking in /etc/sysconfig/SuSEfirewall2 the following are set: FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns" I'm not sure about use of required zones EXT, INT and/or DMZ? In YaST2 I could neither see a way to set both "ssh 22" as commented in the config.file? Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote? Thanks, Terje J. Hanssen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Terje, On Sunday 15 October 2006 17:53, Terje J. Hanssen wrote:
I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands.
Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
I'm not sure about use of required zones EXT, INT and/or DMZ? In YaST2 I could neither see a way to set both "ssh 22" as commented in the config.file?
Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote?
Is the workstation connected to the internet? If not, try to disable the firewall: As root enter rcSuSEfirewall2 stop Then try to ping the workstation from another computer in your network ping <IP address of workstation> If this works well, the network connection to your workstationis ok and you can proceed further. If not, you will have to check your routing. If your workstation is connected to the internet, you will probably want to remove the entries for microsoft-ds, netbios-dgm and netbios-ns from FW_SERVICES_EXT_*. Otherwise you would allow anybody access to a SAMBA server on your workstation which is probably not a good idea. The lines should read FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="" to allow ssh access only. Next step would be to check whether the SSH daemon is running at all. As root at the workstation enter rcsshd status If it is not 'running' try to start it with rcsshd start Check for any error messages here. If the service is running or can be started, try from another computer to access your workstation. telnet might be a good program to try: telnet <IP address of your workstation> 22 You should get at least some message from the SSH daemon. If this also works, you can try the SSH program to connect to your workstation. If you run it on Linux, add parameter -vv to get some information what happens during start of connection. Also have a look into /var/log/messages and check whether the SSH daemon complains about something. If a remote ssh connection does not work, try it from the workstation itself: ssh localhost Does this work or do you get any error messages? Bye, Jürgen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFFMmEdtMrl3JEeRvwRArfZAJ9PMlAgKnw4NrMLd25aoYAm9uKOfQCeOp4T Me/VO6jmqD0by9HyUnFpVo4= =ErPa -----END PGP SIGNATURE-----
Hi Jürgen, Thank you for replying. I'm sitting "external" from my office network just now on my homePC running openSUSE 10.1. Therefore I cannot run all the local tests you mentioned before tomorrow internal on my office. What I can do and have verified now is: Running openvpn and tsclient/RDP clients on my Linux homePC I can connect to my office Win2k Terminal server running openvpn. This is equivalent with the NX connection I wish to my office Linux workstation, with the exception that NX uses its embedded ssh. I'll use NX client for Linux on my home PC connecting to my office openSUSE 10.1 workstation running NX server and also use NX client for Windows on my office. But first I'll try to get a plain ssh connection to work. Internal ping ok Logged on my Win2kTS and started a Command terminal. Ping ok with no response problem from my networked Linux workstation, trying both its privat IP (NAT) nor hostname. I know also there is neither any problem to ping the opposite way to all networked hosts and printers on my office. Internal telnet attempt Started also a Win2kTS telnet window and tried open internal_IP_of_Linux_host 22 which responded "SSH-1.99-OpenSSH_4.2" entered Return then got "Protocol mismatch" Tried also from my homePC in a terminal telnet external_IP_of_office_router 22 but got no response Does this say something more to possibly try? Else, yes, my office Linux workstation is connected to Internet through a Netscreen router and firewall (gateway). I though the entries microsoft and netbios in the config.file came from installing the Samba server, which I haven't really set up yet. Are they possibly required for Samba? Terje Jürgen Mell wrote:
Hi Terje,
On Sunday 15 October 2006 17:53, Terje J. Hanssen wrote:
I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands.
Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
I'm not sure about use of required zones EXT, INT and/or DMZ? In YaST2 I could neither see a way to set both "ssh 22" as commented in the config.file?
Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote?
Is the workstation connected to the internet?
If not, try to disable the firewall: As root enter
rcSuSEfirewall2 stop
Then try to ping the workstation from another computer in your network
ping <IP address of workstation>
If this works well, the network connection to your workstationis ok and you can proceed further. If not, you will have to check your routing.
If your workstation is connected to the internet, you will probably want to remove the entries for microsoft-ds, netbios-dgm and netbios-ns from FW_SERVICES_EXT_*. Otherwise you would allow anybody access to a SAMBA server on your workstation which is probably not a good idea. The lines should read
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP=""
to allow ssh access only.
Next step would be to check whether the SSH daemon is running at all. As root at the workstation enter
rcsshd status
If it is not 'running' try to start it with
rcsshd start
Check for any error messages here. If the service is running or can be started, try from another computer to access your workstation. telnet might be a good program to try:
telnet <IP address of your workstation> 22
You should get at least some message from the SSH daemon. If this also works, you can try the SSH program to connect to your workstation. If you run it on Linux, add parameter -vv to get some information what happens during start of connection. Also have a look into /var/log/messages and check whether the SSH daemon complains about something. If a remote ssh connection does not work, try it from the workstation itself:
ssh localhost
Does this work or do you get any error messages?
Bye, Jürgen
I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands. First of all how many nics (network cards) are inside the box? Is there only one this should be dev_ext (external device). Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns" This is correct as far as the external device is the device showing to
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terje J. Hanssen schrieb: the clients. If you use it as a router then you must set rules to dev_int to get access from internal network. If you intend to allow access to the internet and use a separate router you must setup forwarding rules on the router's firewall!
I'm not sure about use of required zones EXT, INT and/or DMZ? In YaST2 I could neither see a way to set both "ssh 22" as commented in the config.file? EXT/INT/DMZ what the hack is this most newbees ask ...
You can use a router from your provider or build your own firewall with linux (especially on this list with SuSE-Linux). EXT - external network card (shows to the bad internet) Here you allow what services on the server are allowed. INT - internal network card (shows to the clients in your network) Here you allow what the clients are allowed. DMZ - demilitarized zone (this is the place where the servers life in more complex environments) Here you place servers and allow access from the server's side. On the server's side you have to look for what is allowed and build their own firewall rules additional to your firewall here on this linux router! On the other hand there are two ways to setup a router (own ip-range or masquerading for DSL/cable/...). In both cases you can forward ports which means the same you do on the router to bypass the firewall and directly forward a request to a designated port. With forwarding some people think it is evil some others use it. What you will do depends on your decision. The best way is to setup a firewall is to first disallow everything and then allow what you want to allow! This is the way the SuSEfirewall2 is designed (more or less but you have to get through the script). For my purpose I modify the script as there are a lot of double rules you really don't need in no case if you have no DMZ! @SuSE-Team: Can someone at SuSE have a look at the SuSEfirewall2-script and change it that in case of no use of DMZ the iptables rules aren't set? This minimizes the amount of rules needed. Another thing is the big size of logs which are written if you use the "out of the box" configuration!
Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote? The easiest way is to use your "no-name-thingy-dingy-your-provider-gave-you" router. Setup forward rules to your specific server-ip.
INTERNET | ROUTER (Forward rule to server) | SERVER in internal network (DEV_EXT) Setup FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP as you already have and only forward ssh from the router to the server. What to not forward is on TCP-protocol: "microsoft-ds netbios-ssn" and on UDP-protocol: "netbios-dgm netbios-ns"! The name of the service is enough as the firewall uses the ports specified in /etc/services. If you switch things here the changed port is used. Things can be tricky with changing ports so better leave as is if you don't know what you do! For example I changed for some not more to be discussed reason ssh-port to telnet-port and some other security related ports to other unknown ports to minimize the case of getting unwanted visitors. By the way try to read /etc/sysconfig/SuSEfirewall2. The configuration purpose for each line can be read between the (out commented) lines.
Thanks, Terje J. Hanssen For most common questions you may have a look at this: http://susefaq.sourceforge.net/susefaq.html ! It answers alot of questions.
With best regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRTKFPENg1DRVIGjBAQI1egb7BLZsyEZBOjrDdvSkPM8pXPvHJiNzwKRo /cwcv8DJ5+xlUb6w7DvwFOuoKN1uyNEtNksfBKCKokUdZT1XntZMlyvifclReof4 +zuDirhMidI8CcXPWe7iU/YTCVkBS72bZr8AHvyKFqB0dtbJtfwkeg7FpO/iNLOA NGwrcb55t7NrWGM8vE/qFsfZAXQTK3LCvReDh64U3mFQS+1bxsq3LEnqU4gLvnWV 9GXffPw91VBTaLW6znShf1Ui7CLWdvugUisRd9NDmBo9pM2B3h9cjWeDV5CFKcvI ARAxMK7+W+8= =ZPgE -----END PGP SIGNATURE-----
Hi Philippe, Thank you for replying. See also my follow-up reply to Jürgen recently. Philippe Vogel wrote:
Terje J. Hanssen schrieb:
I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands. First of all how many nics (network cards) are inside the box? Is there only one this should be dev_ext (external device).
Yes, one, single NIC
Looking in /etc/sysconfig/SuSEfirewall2 the following are set: FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
This is correct as far as the external device is the device showing to the clients. If you use it as a router then you must set rules to dev_int to get access from internal network. If you intend to allow access to the internet and use a separate router you must setup forwarding rules on the router's firewall!
It's not used as a router. I have a separate Netscreen router with proprietary firewall. Port 22 of this router is forwarded to my Linux box.
Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote? The easiest way is to use your "no-name-thingy-dingy-your-provider-gave-you" router. Setup forward rules to your specific server-ip.
INTERNET | ROUTER (Forward rule to server) | SERVER in internal network (DEV_EXT)
Setup FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP as you already have and only forward ssh from the router to the server. What to not forward is on TCP-protocol: "microsoft-ds netbios-ssn" and on UDP-protocol: "netbios-dgm netbios-ns"!
Do the "microsoft" and "netbios" entries possibly come from the istallation of Samba, although I haven't configured Samba yet? Else, I think this is principal how my configuration already is. As I already have a firewall running on the separate router, maybe I can disable the SuSE firewall, at least not until I get a SSH connection available. But it is installed and enabled default and I need it on my home PC.
The name of the service is enough as the firewall uses the ports specified in /etc/services. If you switch things here the changed port is used. Things can be tricky with changing ports so better leave as is if you don't know what you do! For example I changed for some not more to be discussed reason ssh-port to telnet-port and some other security related ports to other unknown ports to minimize the case of getting unwanted visitors.
By the way try to read /etc/sysconfig/SuSEfirewall2. The configuration purpose for each line can be read between the (out commented) lines.
Yes, it was in the config.file I saw "ssh 22" mentioned, while the configuring the firewall with YaST did have only the service selection available as far as I could see.
For most common questions you may have a look at this: http://susefaq.sourceforge.net/susefaq.html ! It answers alot of questions.
Thanks for this url which I almost had forgotten. Beside I also are looking in this draft http://sourceforge.net/project/showfiles.php?group_id=42064&package_id=60847 as I haven't found an official SuSE guide for the firewall. Terje
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-10-15 at 22:00 +0200, Terje J. Hanssen wrote:
Do the "microsoft" and "netbios" entries possibly come from the istallation of Samba, although I haven't configured Samba yet?
Perhaps. I would remove them.
Yes, it was in the config.file I saw "ssh 22" mentioned, while the configuring the firewall with YaST did have only the service selection available as far as I could see.
Doesn't matter, use ssh or 22, it is the same. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFMrjTtTMYHG2NR9URAoRvAJ9GOzJY8MphDcYFdUmyjbGxCFsoPQCfQYFF Sp9oZlFvlNlwJgkyOm6I6DU= =Trzs -----END PGP SIGNATURE-----
The Sunday 2006-10-15 at 22:00 +0200, Terje J. Hanssen wrote:
Do the "microsoft" and "netbios" entries possibly come from the istallation of Samba, although I haven't configured Samba yet?
Perhaps. I would remove them. He may need them for the smb client to work. Since he seems to have a workstation in a network mixed with Windows boxes, if any printers or
Carlos E. R. wrote: directories were shared from Windows, he would need those opened. If he knows they are not needed, then remove them, as they certainly are not needed for ssh access. For the OP, the config file in /etc/sysconfig/SuSEfirewall2 is heavily commented, and IMHO is the best documentation for the firewall available. Try looking through this file for reference. -- Joe Morris Registered Linux user 231871
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-10-16 at 07:29 +0800, Joe Morris (NTM) wrote:
Do the "microsoft" and "netbios" entries possibly come from the istallation of Samba, although I haven't configured Samba yet?
Perhaps. I would remove them.
He may need them for the smb client to work. Since he seems to have a workstation in a network mixed with Windows boxes, if any printers or directories were shared from Windows, he would need those opened.
In that case I would use profiles: one for home, another for the office. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFMs3+tTMYHG2NR9URAgbLAJ9NpRcSrv2VWJFsPS4YozN8G7rhuQCfQD9q GSW7QNO9aPevb8amp4Gnh7E= =KK93 -----END PGP SIGNATURE-----
I'll do an attempt here to deepen and collect the requested information: Joe Morris (NTM) wrote:
He may need them for the smb client to work. Since he seems to have a workstation in a network mixed with Windows boxes, if any printers or directories were shared from Windows, he would need those opened. If he knows they are not needed, then remove them, as they certainly are not needed for ssh access.
Yes, this is the situation. My new Xeon/Linux workstation will replace my old Sparc/Solaris workstation on a SO mixed network of Windows PCs/server and network printers. I have just on beforehand mounted shared Windows maps using the Gnome menu to connect the win2k server (maybe smbclient still is used in behind this). My plan is next to setup also a Samba server for file sharing to Windows. Carlos E. R. wrote:
In that case I would use profiles: one for home, another for the office.
On my multiboot homePC, SuseFirewall is undoubtly required as its connection to Internet is using a vanilla ADSL router (modem) and DHCP from my ISP. Booting Windows on the same PC, ZoneAlarm has been used correspondingly. On my office, I'm not quite sure if SuseFirewall really is required on my Linux workstation there, as we have a separate Netsreen router with a built-in firewall to protect our Internet connection (cable modem now, to be replaced with ADSL soon). The router port 22 and ssh service is forwarded now to the Linux workstation. What do you think, is SuseFirewall2 really needed for ssh/NX, though yet, it does of course not harm if I get it to work? (Just for background information I'll mentione that the proprietary Netsreen firewall had Windows only clients available, and I had to boot Windows on my home PC just to be able to connect using Netsreen/RDP clients to my office Win2k Terminal server. To connect to Solaris I've used SCO TermVision vt420 emulator and a GUI based (tcp) file browser and for file transfers. We overcome this by installing OpenVpn on the Win2kTS and by forwarding the actual router port to this server. Now I can also connect from Linux at home to my office Wind2kTS using openvpn/tsclient/rdesktop clients, and we also use openvpn clients on laptops) The actual additional step now is to get a direct connection from my home PC to my office Linux workstation. I wish to use NX client/server for running full X/Gnome/KDE desktops, correspondingly to RDP for Win2kTS connection. I hope to get this to work also from office to home afterwards. Richard Ems wrote:
So you connect to the external ip address on your router, say 1.2.3.4 on port 22 and this is forwarded to your linux box.
Yes.
With or without NAT?
Yes, we use NAT on our office network router, and port 22 with ssh, ping and echo in the firewall are forwarded to the private IP for my Linux workstation. I'll double check regarding NAT with my consultant who has configured the router (and previous for openvpn). Connection examples, here using fictive external ip address to our router:
From Windows on my homePC D:\>ping 1.2.3.4 ...no response ...request quitted
Microsoft Telnet> open 1.2.3.4 22 Connect to 1.2.3.4 ..... Cannot open connection to server on port 22: Cannot connect The same happends also booting Linux on my home PC. Tried also with ssh: terje@dhcppc1:~> ssh -vv 1.2.3.4 22 OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22. If I try internal from my office Win2kTS both, indipendent of local or remote RDP logins to it: C:\> ping ip_linux_ws ....responded ok C:\> ping hostname_linux_ws ....responded ok telnet> open ip_linux_ws ....... som responderte "SSH-1.99-OpenSSH_4.2" ........I entered Return then "Protocol mismatch"
Are the packets arriving at the Linux box?
Sorry, how do I possibly find out that (log files, tools)?
With ip address 1.2.3.4 or natted?
Same as above?
Did you try to sniff with tcpdump?
How do I verify/check that? (sorry, unknown tool for me) I guess I have to sit local on my Linux workstation, possibly do a tsclient/rdesktop login to our Win2kTS and send something to the external ip of our router or? Maybe I can send something directly from the Linux workstation also?
Is properly routing configured on the linux box?
Well, in the YaST network configuration routing part, I entered our privat ip_router_ address as standard system port. Then the access to Internet worked ok from the Linux workstation. Beside I use /etc/hosts and fixed (privat) ip, and have added our domain name and DNS ip there.
What does /sbin/route say?
Output from the route command as follows: # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 1.2.3.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default netscreen 0.0.0.0 UG 0 0 0 eth0
Any sshd messages on /var/log/messages?
Sorry, forgot to check that. Carlos E. R. wrote:
How exactly are you testing it? Hardware, software, network setup, both sides.
I think and hope I've managed to explain this above.
I assume there are no tunnels or things involved.
There is no tunnels involved between my home PC to connect directly to my Linux workstation on my office, using port 22 forwarding from the office router/firewall to the Linux box. (OpenVpn as mentioned is used when connecting to the office Win2k Terminal Server with another port # forwarding) Rgds, Terje
On my office, I'm not quite sure if SuseFirewall really is required on my Linux workstation there, as we have a separate Netsreen router with a built-in firewall to protect our Internet connection (cable modem now, to be replaced with ADSL soon). Absolutely required, perhaps not, but suggested, I would. Even if the router's firewall protects you from the Internet, SuSEfirewall2 would
The router port 22 and ssh service is forwarded now to the Linux workstation. Which should work with no problems. I've done that a few times. Since
Terje J. Hanssen wrote: protect from the LAN. this opens ssh up to the Internet, I would suggest locking it down to only key authentication (not password).
What do you think, is SuseFirewall2 really needed for ssh/NX, though yet, it does of course not harm if I get it to work?
And it is not hard to configure in your situation. Everything in your case is configured on the external interface. You have no internal LAN, no need to forward or NAT, etc. You only need to decide which ports to open, which you have already done.
From Windows on my homePC D:\>ping 1.2.3.4 ...no response ...request quitted
Did you allow ping (ICMP) on your firewall? This could and probably is blocked for the external interface on your SuSEfirewall2.
Microsoft Telnet> open 1.2.3.4 22 Connect to 1.2.3.4 ..... Cannot open connection to server on port 22: Cannot connect
Use PuTTy instead of telnet. I think this is because of the program.
The same happends also booting Linux on my home PC. Tried also with ssh:
terje@dhcppc1:~> ssh -vv 1.2.3.4 22 OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
Is your username the same on both boxes? You should use ssh (-X to forward X programs) user@IP If you want to give a port, it uses -p option, but since you are using port 22, no need.
If I try internal from my office Win2kTS both, indipendent of local or remote RDP logins to it:
C:\> ping ip_linux_ws ....responded ok C:\> ping hostname_linux_ws ....responded ok
Then the router is not forwarding the ICMP packets.
Well, in the YaST network configuration routing part, I entered our privat ip_router_ address as standard system port. Then the access to Internet worked ok from the Linux workstation. Beside I use /etc/hosts and fixed (privat) ip, and have added our domain name and DNS ip there.
Doesn't your router do DHCP? This manual config sounds confusing to me. But if you have forwarded port 22 on your router to the IP of your Linux box, sshd is started, and port 22 is open on your ext interface in your firewall, it should work.
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 1.2.3.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default netscreen 0.0.0.0 UG 0 0 0 eth0
This doesn't look right. The gateway should be the IP of your router, not netscreen. BTW, you only need to reply to the security list. We are all subscribed and will get your reply there. -- Joe Morris Registered Linux user 231871
Joe Morris (NTM) wrote:
Doesn't your router do DHCP? This manual config sounds confusing to me.
DHCP is used at home, manual configuration at my office.
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 1.2.3.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default netscreen 0.0.0.0 UG 0 0 0 eth0
This doesn't look right. The gateway should be the IP of your router, not netscreen.
Maybe because also netscreen is defined in /etc/host (?) Terje J. Hanssen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-10-17 at 02:13 +0200, Terje J. Hanssen wrote:
DHCP is used at home, manual configuration at my office.
You need two different configurations for several things: one set for home, another set for office. The "profile" setup (in Yast) is designed precisely for that purpose. You choose which one you are going to use, and it automatically swaps in/out the needed configuration files. Changes done when one of the profiles is active are saved, but not necesarily propagate to the other profile. There is a chapter in the SuSE book for that. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFNg2xtTMYHG2NR9URAmxEAJwOjlg+cgUqDiXEottRtDBfvixCmgCeLXcG 4Et+g/x8fbjrIccTULTh59s= =C2cK -----END PGP SIGNATURE-----
I'm happy to tell that remote connection to my Linux workstation now is solved. The "problem" was that the Netscreen router itself can be administrated by using ssh, even it was disabled. As soon as the port number became changed to 2222, the expected traffic went through. That is, my Linux workstation responded immediately as expected on ssh. Thanks to all who spend time and helped me troubleshooting this problem. At the same time I've also got some useful lessions in this subject. Now that standard ssh works, included ssh -X as well, I'm ready to go further with the planned NX client/server, which makes full X-desktops useful over Internet connections. Thanks Terje J. Hanssen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-10-17 at 00:37 +0200, Terje J. Hanssen wrote:
Carlos E. R. wrote:
In that case I would use profiles: one for home, another for the office.
On my multiboot homePC, SuseFirewall is undoubtly required as its connection to Internet is using a vanilla ADSL router (modem) and DHCP from my ISP. Booting Windows on the same PC, ZoneAlarm has been used correspondingly.
On my office, I'm not quite sure if SuseFirewall really is required on my Linux workstation there, as we have a separate Netsreen router with a built-in firewall to protect our Internet connection (cable modem now,
I would use the firewall anyway, but set up in the internal interface for the office, external at home. The profiles setup (office/home) can handle those changes automatically.
to be replaced with ADSL soon). The router port 22 and ssh service is forwarded now to the Linux workstation. What do you think, is SuseFirewall2 really needed for ssh/NX, though yet, it does of course not harm if I get it to work?
I don't know about "NX". :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFNg7XtTMYHG2NR9URAnKbAJ9V7FQ1KKqcAA+hQr+qfUJt3/7gigCeN89R Tblix8e4CKjBjcDw5YXHw/A= =2rXL -----END PGP SIGNATURE-----
I'm trying to set up and support a Vonage VOIP phone behind a SuSE 10.0 firewall. Outbound calls work fine. Calling in is the problem. As far as I can tell, I need to forward SIP from the outside zone to the internal zone so the Vonage VOIP device (Motorola VT 2142) can set up the call session. The VT 2142 does not have/support an IP address, so I'm not clear on how to route SIP once it transits the FW, or how to broadcast it such that the VT 2142 endpoint establishes the session. I'm also not sure what the securtiy risk is opening up UDP 5060 from the outside -> inside is, so insights there are appreciated. At any rate, I'm just getting into this, so I'm coming up to speed. Any pointers would be appreciated.
Hi, Am Freitag, 27. Oktober 2006 08:19 schrieb dcb@vcomcon.com:
Calling in is the problem. As far as I can tell, I need to forward SIP from the outside zone to the internal zone so the Vonage VOIP device (Motorola VT 2142) can set up the call session. The VT 2142 does not have/support an IP address
Er. I'm sure it does have an address. If it wants to communicate (inbound or outbound) it needs one... If you don't know it's address, try to check that with tcpdump/ethereal/whatever while calling outbound.
so I'm not clear on how to route SIP once it transits the FW, or how to broadcast it such that the VT 2142 endpoint establishes the session.
Consider installing a SIP proxy[1] in your environment, possibly on the firewall itself.
I'm also not sure what the securtiy risk is opening up UDP 5060 from the outside -> inside is, so insights there are appreciated.
An open port is a bad port, as long as you don't know _why_ you open it. Security considerations with opening a port depend on your network setup, the environment and more theoretical considerations. Please note that many SIP connections are TCP! [1] I'd recommend OpenSER (www.openser.org) or SER (www.iptel.org, but OpenSER is better ;)). Asterisk can give you similar functionality, but it's primary domain is a different one. Have a lot of fun... Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ Absence is to love what wind is to fire. It extinguishes the small, \ it enkindles the great.
Terje J. Hanssen wrote:
It's not used as a router. I have a separate Netscreen router with proprietary firewall. Port 22 of this router is forwarded to my Linux box.
So you connect to the external ip address on your router, say 1.2.3.4 on port 22 and this is forwarded to your linux box. With or without NAT? Are the packets arriving at the Linux box? With ip address 1.2.3.4 or natted? Did you try to sniff with tcpdump? Is properly routing configured on the linux box? What does /sbin/route say? Any sshd messages on /var/log/messages? Regards, Richard
Richard Ems skrev:
Any sshd messages on /var/log/messages?
# cat /var/log/messages | grep sshd Oct 13 10:52:23 alfa sshd[3736]: Received signal 15; terminating. Oct 13 11:28:58 alfa sshd[3728]: Server listening on :: port 22. Oct 13 15:00:52 alfa sshd[3728]: Received signal 15; terminating. Oct 13 15:14:51 alfa sshd[3473]: Server listening on :: port 22. Oct 15 20:01:49 alfa sshd[12859]: Bad protocol version identification '' from ip_tetra Oct 15 20:08:44 alfa sshd[12860]: Bad protocol version identification '' from ip_tetra Oct 15 20:10:36 alfa sshd[12861]: Bad protocol version identification 'close' from ip_tetra Oct 15 20:12:32 alfa sshd[12862]: Bad protocol version identification '' from ip_tetra Oct 16 10:22:06 alfa sshd[15612]: error: PAM: Authentication failure for root from localhost Oct 16 10:22:11 alfa sshd[15612]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 7716 ssh2 Oct 16 10:24:06 alfa sshd[15646]: Accepted keyboard-interactive/pam for terje from 127.0.0.1 port 7717 ssh2 My comments: "alfa" is here the hostname of my Linux workstation, "ip_tetra" is replaced by me instead of internal ip of Win2kTS "Bad protocol" looks to be when testing with telnet from Win2kTS Don't see any signs from my attempts using my remote home PC Rgds, Terje
I would suggest you to use tcpdump and sniff on the NIC to see if ssh packets are arriving at all at your workstation. tcpdump -i eth0 port ssh will write to the console all ssh packets seen on eth0. Or if you like GUIs try ethereal. See "man tcpdump". Regards, Richard
Richard Ems wrote:
I would suggest you to use tcpdump and sniff on the NIC to see if ssh packets are arriving at all at your workstation.
tcpdump -i eth0 port ssh
will write to the console all ssh packets seen on eth0. Or if you like GUIs try ethereal.
See "man tcpdump".
First, after entering the above command on the local host (alfa, Linux), is it possible to connect back again to local host using ssh through the router's (netsreen) external ip address, i.e. something similar to ssh 1.2.3.4 22 or possibly log this using another command? Isn't there any log file from/for the SuseFirewall2 that tells if and which communication attempts (type) that has occured or has been rejecteded? Or are this only logged for each service type like already mentioned for ssh in /var/log/messages? Rgds, Terje
Terje J. Hanssen wrote:
First, after entering the above command on the local host (alfa, Linux), is it possible to connect back again to local host using ssh through the router's (netsreen) external ip address, i.e. something similar to
ssh 1.2.3.4 22
man ssh. Your syntax may work for telnet, but not ssh. If you are specifying the port, use -p. Since default is 22, no need for specifying. You syntax may be causing you problems. -- Joe Morris Registered Linux user 231871
Joe Morris (NTM) wrote:
Terje J. Hanssen wrote:
First, after entering the above command on the local host (alfa, Linux), is it possible to connect back again to local host using ssh through the router's (netsreen) external ip address, i.e. something similar to
ssh 1.2.3.4 22
man ssh. Your syntax may work for telnet, but not ssh. If you are specifying the port, use -p. Since default is 22, no need for specifying. You syntax may be causing you problems.
This topic is solved as already posted; the problem was the router's firewall port forwarding. When that first worked, I also got command error and found out that the right syntax was "ssh 1.2.3.4" ;) Terje
Terje J. Hanssen wrote:
Richard Ems wrote:
I would suggest you to use tcpdump and sniff on the NIC to see if ssh packets are arriving at all at your workstation.
tcpdump -i eth0 port ssh
will write to the console all ssh packets seen on eth0. Or if you like GUIs try ethereal.
See "man tcpdump".
First, after entering the above command on the local host (alfa, Linux), is it possible to connect back again to local host using ssh through the router's (netsreen) external ip address, i.e. something similar to
ssh 1.2.3.4 22
sure, tcpdump just shows you tcp/udp packets arriving at the selected interface it doesn't block or stop nothing, if ssh works, it will work with and without tcpdump running! Again, READ the manual page!
or possibly log this using another command?
Isn't there any log file from/for the SuseFirewall2 that tells if and which communication attempts (type) that has occured or has been rejecteded? Or are this only logged for each service type like already mentioned for ssh in /var/log/messages?
Yes, but using tcpdump is the way to go! Try it! See parameters FW_LOG_[AD]* in /etc/sysconfig/SuSEfirewall2 . Setting the firewall to log all packets will create really big logfiles! # grep -B10 "^FW_LOG_[AD]" /etc/sysconfig/SuSEfirewall2 # # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", if not set FW_LOG_*_CRIT defaults to "yes", and # FW_LOG_*_ALL defaults to "no" # FW_LOG_DROP_CRIT="yes" ## Type: yesno ## Default: no # FW_LOG_DROP_ALL="no" ## Type: yesno ## Default: yes # FW_LOG_ACCEPT_CRIT="yes" ## Type: yesno ## Default: no # FW_LOG_ACCEPT_ALL="no"
participants (9)
-
Bastian Friedrich -
Carlos E. R. -
dcb@vcomcon.com -
Joe Morris (NTM) -
Jürgen Mell -
Philippe Vogel -
Richard Ems -
Terje J. Hanssen -
Terje J. Hanssen