| gabriel rosenkoetter on Wed, 3 Apr 2002 19:00:16 +0200 |
|
On Wed, Apr 03, 2002 at 11:41:37AM -0500, eric@lucii.org wrote: > So, I tell e-smith to forward port NNNN to port 22 (for ssh) > on the server. So far so good. That's all well and good, but that only gets you the listener, not the forked off sshd that actually communicates with the client on a higer port number. Stop blocking ports >1024. > ssh -l username -p NNNN IP.IP.IP.IP [...] > I get no response. The client just "hangs" until interrupted by > ctrl-C. If I try to telnet to it this happens: Yep, because the client's connected with the listening sshd at port 22, which has spawned off another sshd on a higher (>1024) port number and redirected the client to that port, but your firewall's not letting that communication happen. (No, you can't write a rule in your firewall to map these ports, the decision is made on the fly by the listening sshd. You'd have to teach sshd how to talk to the firewall and update its port forwarding table if you wanted only the ports necessary open on the fly. That's non-trivial.) > telnet IP.IP.IP.IP NNNN > Trying IP.IP.IP.IP... > Connected to thedomain.dnsalias.com. > Escape character is '^]'. > SSH-1.99-OpenSSH_2.9p2 > > Then it "hangs" and must be interrupted. ... which is all a listening sshd ever does when you telnet to it. You're expected to reply with a version string of your own, then you receive the server public key and compare it with your cached version (if you have one). But doing that by hand is less than fun, obviously. > I can post the /etc/rc.d/init.d/masq file if that helps anyone. Wouldn't help me, since I'm not familiar with the details of the firewall, but maybe the general what-to-do advice above will help you. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpuxch1tjqLI.pgp
|
|