Re: SSH over port 28

Email lists > CheckPoint Firewall-1 discussion

Thread: Re: SSH over port 28

Search this list only Search all lists
Re: SSH over port 28
	2008-01-21 13:54:49
>>> On 1/12/2003 at 3:56 AM, Giacomo Fazio <Giacomo.FazioIFC.INAF.IT> wrote: > Here is the output if i give ssh -p 28 from firewall: > > > [Expertfw1]# fw monitor \| grep '192.167.38.1' > monitor: getting filter (from command line) > monitor: compiling > monitorfilter: > Compiled OK. > monitor: loading > > Warning: External Interface 'eth0' was not found. > > monitor: monitoring (control-C to stop) > eth0:o[52]: 194.119.212.2 -> 192.167.38.1 (TCP) len=52 id=43693 > eth0:O[52]: 194.119.212.2 -> 192.167.38.1 (TCP) len=52 id=43693 > eth0:i[52]: 192.167.38.1 -> 194.119.212.2 (TCP) len=52 id=0 > eth0:I[52]: 192.167.38.1 -> 194.119.212.2 (TCP) len=52 id=0 > eth0:o[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43694 > eth0:O[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43694 > eth0:i[60]: 192.167.38.1 -> 194.119.212.2 (TCP) len=60 id=3072 > eth0:I[60]: 192.167.38.1 -> 194.119.212.2 (TCP) len=60 id=3072 > eth0:o[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43695 > eth0:O[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43695 > eth0:o[64]: 194.119.212.2 -> 192.167.38.1 (TCP) len=64 id=43696 > eth0:O[64]: 194.119.212.2 -> 192.167.38.1 (TCP) len=64 id=43696 > eth0:i[40]: 192.167.38.1 -> 194.119.212.2 (TCP) len=40 id=3073 > eth0:I[40]: 192.167.38.1 -> 194.119.212.2 (TCP) len=40 id=3073 > eth0:o[584]: 194.119.212.2 -> 192.167.38.1 (TCP) len=584 id=43697 > eth0:O[584]: 194.119.212.2 -> 192.167.38.1 (TCP) len=584 id=43697 > eth0:i[744]: 192.167.38.1 -> 194.119.212.2 (TCP) len=744 id=3074 > eth0:I[744]: 192.167.38.1 -> 194.119.212.2 (TCP) len=744 id=3074 > eth0:o[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43698 > eth0:O[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43698 > eth0:i[40]: 192.167.38.1 -> 194.119.212.2 (TCP) len=40 id=3075 > eth0:I[40]: 192.167.38.1 -> 194.119.212.2 (TCP) len=40 id=3075 > eth0:o[64]: 194.119.212.2 -> 192.167.38.1 (TCP) len=64 id=43699 > eth0:O[64]: 194.119.212.2 -> 192.167.38.1 (TCP) len=64 id=43699 > eth0:i[320]: 192.167.38.1 -> 194.119.212.2 (TCP) len=320 id=3076 > eth0:I[320]: 192.167.38.1 -> 194.119.212.2 (TCP) len=320 id=3076 > eth0:o[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43700 > eth0:O[40]: 194.119.212.2 -> 192.167.38.1 (TCP) len=40 id=43700 > eth0:o[312]: 194.119.212.2 -> 192.167.38.1 (TCP) len=312 id=43701 Well, the reason why it works from the firewall and not from internal machines looks pretty clear. The source address on the datagrams when you go from the firewall is 194.119.212.2 and when it is from an internal host, it is being NATed to 194.119.212.58 as the source. Either something outside of your firewall is passing the 194.119.212.2 and blocking the 194.119.212.58 on the way out or the responses from the remote server are not coming back because of the different destination. Is it a router with ACLs in between? A firewall at the other end? Do you have admin access to that remote SSH server? Can you run a tcpdump, snoop, etc. on that to see if the traffic from 194.119.212.58 ever arrives? Oh, and one last thing that it could be on the firewall. Does the external interface of the firewall know that it owns 194.119.212.58? The packets could be coming back all the way to the router outside of your firewall, but the router cannot get the link-layer address for 194.119.212.58. However, if that address is working as the source for anything else, that is not the problem. > ----- Original Message ----- > From: "Crist Clark" <Crist.ClarkGLOBALSTAR.COM> > To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> > Sent: Friday, January 18, 2008 9:38 PM > Subject: Re: [FW-1] SSH over port 28 > > >>>>> On 1/18/2008 at 12:17 PM, Giacomo Fazio <Giacomo.FazioIFC.INAF.IT> >> wrote: >>> Hugo thanks, >>> but why via ssh port 22 no problem??? >> >> I'm more puzzled as to how this does not work when you say that >> 'ssh -p 28 192.167.38.1' does work when run on the firewall itself. >> What does the 'fw monitor' for that look like? >> >>> ----- Original Message ----- >>> From: "Hugo van der Kooij" <hvdkooijVANDERKOOIJ.ORG> >>> To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> >>> Sent: Friday, January 18, 2008 6:52 PM >>> Subject: Re: [FW-1] SSH over port 28 >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Giacomo Fazio wrote: >>>> \| Ciao Crist, >>>> \| >>>> \| here is the output: >>>> \| >>>> \| [Expertfw1]# fw monitor \| grep '192.167.38.1' >>>> \| monitor: getting filter (from command line) >>>> \| monitor: compiling >>>> \| monitorfilter: >>>> \| Compiled OK. >>>> \| monitor: loading >>>> \| >>>> \| Warning: External Interface 'eth0' was not found. >>>> \| >>>> \| monitor: monitoring (control-C to stop) >>>> \| eth4:i[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=8338 >>>> \| eth4:I[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=3729 >>>> \| eth0:o[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=3729 >>>> \| eth0:O[60]: 194.119.212.58 -> 192.167.38.1 (TCP) len=60 id=3729 >>>> >>>> That is one SYN packet going all the way. >>>> >>>> \| eth4:i[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=8339 >>>> \| eth4:I[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=13484 >>>> \| eth0:o[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=13484 >>>> \| eth0:O[60]: 194.119.212.58 -> 192.167.38.1 (TCP) len=60 id=13484 >>>> >>>> Another packet going all the way. But why is the server in question >> not >>>> responding? That is the question you need to answer. >>>> >>>> \| eth4:i[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=8340 >>>> \| eth4:I[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=65001 >>>> \| eth0:o[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=65001 >>>> \| eth0:O[60]: 194.119.212.58 -> 192.167.38.1 (TCP) len=60 id=65001 >>>> \| eth4:i[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=8341 >>>> \| eth4:I[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=53684 >>>> \| eth0:o[60]: 10.10.2.230 -> 192.167.38.1 (TCP) len=60 id=53684 >>>> \| eth0:O[60]: 194.119.212.58 -> 192.167.38.1 (TCP) len=60 id=53684 >>>> \| >>>> \| i think is smartdefense that block ssh connection to ports >> different >>>> \| from 22... >>>> >>>> If smartdefense was acting up then you would not expect your packets >> to >>>> make it all the way. >>>> >>>> Check Routing on firewall and the host you want to reach. My 2 cents >> say >>>> that your host does not how to send the reply back through the >> firewall. B¼information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmasterglobalstar.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists