I am trying to configure my firewall to accept remote SSH logins, but it will not. Configuration: Linux server (combination internet gateway, router, and primary workstation) running SuSE 9.0 (brand new install; replaced RedHat 8.0 a week ago, where this problem did not exist). Windows 2000 laptop (my employer's), and Windows XP laptop (my wife's). All internal LAN access is fine, SMB file and printer sharing works, workstations can all get out to the internet, no problems there. But when I try to come in from the internet and open a SSH session with the firewall up, it will not connect. When I try with the "SuSEfirewall test" command, it goes through okay (so I know sshd is running correctly). Here's my /etc/sysconfig/SuSEfirewall2, with all the comments and blank lines stripped, my comments added: FW_QUICKMODE="no" FW_DEV_EXT="ppp0" # I use DSL FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh http 5800:5805" # 580x, 590x: VNC FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh domain netbios-ssn" # netbios-ssn for SAMBA FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV=""
I have temporarily worked around my problem by reinstating the script (not SuSEfirewall2) that worked for me before installing SuSE. It may not be as encompassing (for example, it allows SSH connections on the internet interface from a workstation inside the firewall). But it will get me "over the hump" until a more elegant solution presents itself. Thanks for all the attempts to help. Daryl On Fri, 2003-12-12 at 07:27, Daryl Lee wrote:
I am trying to configure my firewall to accept remote SSH logins, but it will not. Configuration: Linux server (combination internet gateway, router, and primary workstation) running SuSE 9.0 (brand new install; replaced RedHat 8.0 a week ago, where this problem did not exist). Windows 2000 laptop (my employer's), and Windows XP laptop (my wife's). All internal LAN access is fine, SMB file and printer sharing works, workstations can all get out to the internet, no problems there. But when I try to come in from the internet and open a SSH session with the firewall up, it will not connect. When I try with the "SuSEfirewall test" command, it goes through okay (so I know sshd is running correctly). Here's my /etc/sysconfig/SuSEfirewall2, with all the comments and blank lines stripped, my comments added:
FW_QUICKMODE="no" FW_DEV_EXT="ppp0" # I use DSL FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh http 5800:5805" # 580x, 590x: VNC FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh domain netbios-ssn" # netbios-ssn for SAMBA FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV=""
/ 2003-12-13 00:13:47 -0500 \ Daryl Lee:
I have temporarily worked around my problem by reinstating the script (not SuSEfirewall2) that worked for me before installing SuSE. It may not be as encompassing (for example, it allows SSH connections on the internet interface from a workstation inside the firewall). But it will get me "over the hump" until a more elegant solution presents itself.
Thanks for all the attempts to help.
try to get more logging information, then you should see what is dropped in the syslog:
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" <<-- set this to yes
FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" <<-- maybe even this, too FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
Then check which rule that might be: iptables -vnL | less -S and find the conf option that causes the rule... Lars Ellenberg
All is well, finally, thanks to so many for jumping in to help a fellow struggler. Especially to Mario Nubert who, in a private email exchange, caught the fact that I was TESTING the thing all wrong! SuSEfirewall2, unlike that OTHER firewall I was using, protects against spoofed IP addresses. Since I was testing access from a workstation INSIDE the firewall, going to the OUTSIDE address, that was the rule being enforced. So I was configured right all along, just didn't know how to test it. Daryl On Sat, 2003-12-13 at 00:13, Daryl Lee wrote:
I have temporarily worked around my problem by reinstating the script (not SuSEfirewall2) that worked for me before installing SuSE. It may not be as encompassing (for example, it allows SSH connections on the internet interface from a workstation inside the firewall). But it will get me "over the hump" until a more elegant solution presents itself.
Thanks for all the attempts to help.
Daryl
On Fri, 2003-12-12 at 07:27, Daryl Lee wrote:
I am trying to configure my firewall to accept remote SSH logins, but it will not. Configuration: Linux server (combination internet gateway, router, and primary workstation) running SuSE 9.0 (brand new install; replaced RedHat 8.0 a week ago, where this problem did not exist). Windows 2000 laptop (my employer's), and Windows XP laptop (my wife's). All internal LAN access is fine, SMB file and printer sharing works, workstations can all get out to the internet, no problems there. But when I try to come in from the internet and open a SSH session with the firewall up, it will not connect. When I try with the "SuSEfirewall test" command, it goes through okay (so I know sshd is running correctly). Here's my /etc/sysconfig/SuSEfirewall2, with all the comments and blank lines stripped, my comments added:
FW_QUICKMODE="no" FW_DEV_EXT="ppp0" # I use DSL FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh http 5800:5805" # 580x, 590x: VNC FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh domain netbios-ssn" # netbios-ssn for SAMBA FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV=""
participants (2)
-
Daryl Lee -
Lars Ellenberg