[ale] Grumbling Firewall Question

Thu Jan 25 16:39:10 EST 2001

On Thu, 25 Jan 2001 14:43:24 -0500 (EST), John Mills wrote:

>Situation: I open an 'ssh' to a remote host with no problem; the remote
>replies with a confirming packet which I deny, and log. Each time more is
>sent to the remote, it's confirmation is denied, and logged.

Not quite.  If you were really denying the ack packet, ssh wouldn't
work

<snip!>
>If I read the log correctly (just guessing, really), I think my rule #34
>is denying a sequence of 'udp' packets (proto=17?) sent to sequential
>ports at my firewall/router, which are being forwarded to my port 162.

Not quite.  Let's take a look at one:

>Jan 14 04:06:20 otter kernel: Packet log: input DENY eth0 PROTO=17
>ROUTER_IP:4079 MY_HOST_IP:162 L=142 S=0x00 I=0 F=0x0000 T=64 (#34) 

Note that the source address is your router.  This packet is coming
from your router, not from the remote ssh client system.

/etd/services shows port 162 to be for SNMP traps.  Evidently, your
router is triggering a trap with each ssh packet, and sending a trap
message to your firewall (which the router must have configured as a
management console to report traps to).  If you have SNMP management
software on your firewall, looks like you need to at least need to open
up incoming packets from the router to port 162.  In any case, you
probably will want to check the configuration of your router to find
out why it's triggering a trap for outgoing ssh packets, and tweak it
or turn it off.

Ben
-- 
Ben Coleman oloryn at benshome.net      | The attempt to legislatively
http://oloryn.home.mindspring.com/   | micromanage equality results, at
Amateur Radio NJ8J                   | best, in equal misery for all.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.