SSH connection hangs with ipchains/RH6.2/OpenSSH 2.5.1p1 (butnot <= 2.3.0p1)
Troy Carter
tcarter at princeton.edu
Thu Feb 22 14:53:10 EST 2001
I figured this out -- looks like 2.5.1p1 is now using ports < 1024 on
the client side (wasn't before?). I had a ipchains rule to allow ACK
packets to 1024:65535, which was good enough for <= 2.3.0p1 :
#allow only ACK tcp packed
ipchains -A input -j ACCEPT -i eth0 -s any/0 --dport 1024:65535 -p tcp !
-y
So I added the following :
#allow return from ssh connections
ipchains -A input -j ACCEPT -i eth0 -s any/0 22 -p tcp ! -y
Now everything is fine. I even see the config file option to switch
back to using non-priveleged ports. What was the reason for switching
to priveleged by default in 2.5.1p1?
-Troy
Jason Stone wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > I just recently installed OpenSSH 2.5.1p1 on a RH6.2 box (kernel
> > 2.2.17). I run ipchains to do packet filtering, allowing incoming
> > connections only to 22 and 80 (and some other ports for specific
> > machines).
>
> Strange. Add a logging rule to your ipchains setup to see all the deny
> packets.
>
> If it was working with prior versions, than I imagine you already know
> this, but make sure to have a rule allowing the return packets.
>
> -Jason
>
> ---------------------------
> If the Revolution comes to grief, it will be because you and those you
> lead have become alarmed at your own brutality. --John Gardner
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: See https://private.idealab.com/public/jason/jason.gpg
>
> iD8DBQE6lICTswXMWWtptckRAhqFAJ4rBjhw5S/pt/rMB2zh7rrFR7HHBwCeNRB0
> JpLCTVj3M3MaDfenF/F1NS8=
> =P1RP
> -----END PGP SIGNATURE-----
--
Troy Carter
tcarter at princeton.edu
More information about the openssh-unix-dev
mailing list