On 7/31/2014 12:13 AM, Roger Oberholtzer wrote:
If I ask them to open all ports at their end, I can log in just fine. I am, once again, confused. Any ideas? They do not want to keep the firewall for this machine open too long.
This firewall... I presume it does in fact send port 22 to the 11.2 Linux box? (That is, when they open up all ports you do indeed access the correct machine?) Does it also do any form of Egress filtering? As far as I know, all parts of ssh traverse port 22 only. Once you get a connection, all traffic should flow over port 22, (its encrypted upon connection, even before you password is transmitted). Have them turn off the firewall so you can Check for these line in the /etc/ssh/sshd_config of the 11.2 box X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes Without that, it might try to put X out over the wire rather than in the ssh tunnel, and if the firewall box was egress filtering against that that might cause the behavior you see. Also, old sshd_configs used to have AddressFamily any set explicitly or as the default. But later versions need to have AddressFamily inet and if you don't have that ssh sessions try to wander off into ipv6 land maybe that is what the firewall is complaining about. Also type (again, after connecting with the firewall disabled) set and see if you see DISPLAY=localhost:10.0 Then type: netstat -anp Then look in the Active Internet connections (servers and established) list any connections between the 11.2 box and the 10.0 box (by comparing IPs and Ports). You should typically have only ONE such connection something like this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 68 192.168.2.1:22 192.168.2.213:59742 ESTABLISHED 14086/sshd: jsa
*192.168.2.1 would be replaced by the ip of your 11.2 box). Any more than one connection between your machine and the 11.2 machine might be what the firewall is blocking. (Its unusual for firewalls to block outbound ports but some places set up egress filtering to prevent clever users from end-running their security). -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org