Solaris 10 ssh through a firewall
I have Solaris 10 up and running on an HP Vectra. Everything is fine until I attempt to ssh through my firewall from the outside world.
I can ssh from my linux systems on the lan. But when I attempt to ssh from outside using either putty or ssh on another solaris 10 system the connection times out.
Anyone else experience a similar problem? Many thanks in advance.
John Wright
Asst Professor
CIT
Bellevue University
It's hard to tell what's going on without some more information. Here're a few things you can try:
Run "ssh localhost" from the Solaris box and make sure that works.
ssh to the Solaris box from another box on the same network segment.
From the site that doesn't work, do "ssh -v solaris_box" and see if that gives you any clues.
After trying to ssh from outside, do a "netstat -an |grep -i '*.22' and see the state of the TCP connection
(or if the first packet never even makes it).
Run sshd on the Solaris box with with the "-d" debug option.
Similar Messages
-
Portal access through a firewall
Hi there!
Having the default installtion of R2 on a single W2K box, what's the minimal procedure to make this configuration available through a firewall?
I've opened ports 7777-7778 but fail when trying to logon via SSO (host.domain.com:7777/pls/orasso)
Have I missed out to open another port or am I forced to follow the steps of setting up a reversing proxy to have portal-access outside the firewall?
Cheers
/StaffanIf they are on different servers, then both are listening on the 7777 port, and you will have to change one of them to use another port (assuming your firewall can only port forward a port to only one host).
If you are running both instances on the same server, then your SSO is accessible via 7777 and your midtier would be on 7778, so your setup as described should be enough (I do the same thing).
If they are running on the one machine, can you access the SSO/INF server directly? http://inf.domain.com:7777 and then http://inf.domain.com:7777/pls/orasso ? -
Workstation Clients through a Firewall
Does anyone out there know if there are any issues with workstation clients going
through a firewall?
Thanks!
mervinWe have done it successfully from NT to a Unix server over afirewall. Its a case
of getting the WSNADDR set up correctly.
use the -H option in the WSL entry in ubb config shows to set it up.
eg
CLOPT="-A -- -d /dev/tcp -n 0x0002nnnnxxxxxxxx -H 0x0002MMMMyyyyyyyy"
Where nnnn is a port number
xxxxxxxx is the true hex IP address of the server
yyyyyyyy is the firewall hex address of the server
MMMM is fixed.
WSNADDR on the PC is set to port number and firewall address.
I know the hex notation is a bit out of date these date but it works fine for
us.
Hope it helps
Sue
"Mervin Calverley" <[email protected]> wrote:
>
Does anyone out there know if there are any issues with workstation clients
going
through a firewall?
Thanks!
mervin -
My internet connection is fine, I already allowed Firefox through my firewall. This is the first time it had ever happened and it happened suddenly, out of nowhere.
Try "Firefox connection settings" in [[Server not found]]
You can find the connection settings in Tools > Options > Advanced : Network : Connection<br />
If you do not need to use a proxy to connect to internet then select No Proxy
You can also try to remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process.
See:
* [[Server not found]]
* [[Firewalls]] -
Endpoint on DMZ interface (through the firewall)
Hi
I have an ASA which connects to a BT Inifinty router. The address on the outside interface is dynamic. BT provide us with 5 static addresses (No NAT 5) which are routed to the outside interface but are a different subnet.
I would like to terminate the site to site VPN using one of the static IP addresses rather than the outside dynamic address.
Can I NAT the public static address to the DMZ interface (or any interface for that matter) and terminate the VPN on that interface i.e. the firewall is terminated through the firewall?
Thanks
Stuart
Update: A few people have looked but no answer. Is there some detail I need to add?Matheus.Omega.Mendes wrote:
Well one solution that they found was implements one hollow interface called InterfaceWeb, just to mark the classes that works on web and desktop, although our system isn't perfectly object oriented, this solution was the worst that I ever seen. At least I think this way and I'd like to know if someone agree, disagree or have some explication for this choose.Hard to say without actually seeing it. Probably not a good idea.
Presumably the design was driven by time to market and cost rather than just because the developers didn't want to refactor.
As per the other suggestion, normally besides breaking the layers out you could share common functionality with a layer of its own (or several) -
How to allow Flash, Reader, and Shockwave installations through the firewall?
When I allow a single machine to full access through the firewall on port 80, all three products install flawlessly. I am trying to narrow this down and only open the specific IP ranges used by adobe. Does anyone know which ones need to be allowed for this to work? Also, I do know about the standalone files that can be downloaded and then installed to avoid the firewall issue, but I would like to allow all users who bring their own devices to install these products. With the below IP address open through port 80, I am able to install Flash almost every time, but Reader and Shockwave are less reliable. Thank you for any help you can provide.
Bill
23.67.250.122
23.67.250.129
23.67.250.104
23.67.250.147
23.15.7.153
23.15.7.130
23.15.7.160
23.15.7.99
23.15.7.155
23.15.7.113
23.15.8.203
23.57.1.169
23.57.3.235
23.67.250.88
23.57.2.70
8.10.179.247
66.235.147.77
96.17.160.72
96.17.160.18
192.150.16.58
192.150.16.64
193.104.215.66
199.167.187.72I have a method that works for FLASH player, but am trying to come up with a method for the other 2 myself. To automate flash player, I created a Policy and added the following:
Under Computer Config, Prefrences, Windows Setting, Files I created a new File Item.
I set Action = Replace, Created a Source File named mms.cfg* (more below) and have the destination file as systemroot%\System32\Macromed\Flash\mms.cfg (or %systemroot%\SysWOW64\Macromed\Flash\mms.cfg for x64)
I used notepad to edit the mms.cfg, and used the following in the body:
AutoUpdateDisable=0
SilentAutoUpdateEnable=1
AutoUpdateInterval=0
My non-admin users now update flash in the background silently and automatically. -
Firewall Rules for Printing and Scanning through Windows Firewall
Hello,
I am having trouble determining the Ports, Programs, and Services required for printing and scanning with my AIO.
I am using Windows Firewall in Windows 7, and am only allowing certain rules in and out.
I know the firewall is the problem, for when I disable it, everything works fine.
Which rules are required for printing and scanning through the firewall?4th Bump,
Is there anyone who can help me with this?
As I said before, other printer manufacturers such as Lexmark and Brother provide this exact information.
Why doesn't hp have a document for this? Does everyone just disable their firewall or open every port? -
Cisco 8851 phones registering through Checkpoint firewall
We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs. We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register. The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69. The 7900 phone never generates TFTP on port 69 at all. What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router. I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones. I have done key-word searches on the Forum for this issue, but have not found anything significant. I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue. Any help would b e greatly appreciated.
Thanks,Hi Andrew
The attached document may assist:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
Hope this helps.
Barry Hesk
Intrinsic Network Solutions -
Forwarding through IPv6 Firewall partial solution
I figured out how to selectively forward port 22 (ssh) to all of my internal machines at home, through the Airport Express's IPv6 firewall. I couldn't find documentation for this, so I'm sharing, to help anyone else that might be trying to accomplish the same.
Under Advanced / IPv6 Firewall, add an Exception. This hint is how to choose the appropriate IPv6 address so that you add port forwarding for a specific port to all machines. For the IPv6 address field, enter
(that is a double colon).
So my exception looks like this:
Description - ssh
IPv6 Address - ::
Specific TCP and UDP ports
TCP Port(s) - 22
UDP Port(s) -
Note that I have no security fears for enabling port 22, because my personal IPv6 address space is 64 bits, which would take ages for anyone to probe to find my machines listening on port 22, just so that they could then probe for obvious accounts and passwords. And password probing is easy to defeat anyway --- just disable password-based logins and require public/private key logins.Call your ISP and have them set your Modem into BRIDGED MODE... ask them also for your account username and password... Go to your router setup page and configure its IP to 192.168.2.1 and set it to PPPoE, you have to type your username and password after this then save the settings... that way, your westell will be a modem only and your firewall will only be the LInksys
-
How can we allow internal users to access internet through ASA firewall?
Hello,
I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
does switch 2 port needs internet access through router?
what configuration required on ASA to allow users behind the firewall to access internet?
any help on this would be much appreciated.
thanks,Hi,
Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
Just try something like this:-
ping 4.2.2.2 .. Does this work ?
If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
Thanks and Regards,
Vibhor Amrodia -
Getting FTP to work in Solaris 10, RE: config vs. firewall
We've recently migrated from a clustered Solaris 9 environment to Solaris 10 zones.
One issue that keeps coming up is the inability to ftp anywhere except within zones running on the same server. I can ftp between those zones without any problem.
Trying to ftp anywhere else, i.e. to a zone on another server node or to any other ftp server, I encounter one of two problems, either I don't get a login prompt at all, which leads me to think there's a firewall issue, or I can login fine, but when I issue any command, nothing happens, and upon ctrl-x'ing out I see:
"421 Service not available, remote server has closed connection"
I've seen a lot of totally useless stuff on the web that doesn't seem to apply to Solaris 10. I know there's a bunch of ftp configuration files, but we haven't touched them.
ftpd is running with the -a switch, but TCP Wrappers is set to false. I can ftp TO this server from a remote server as long as the firewall has been configured for the IP.
To summarize.
Zone A on Server A > Zone B on Server A : No problem
Zone A on Server A > Zone B on Server B: Problem
If anyone can shed any light on this problem, that would be great.
Edited by: tsmori on Feb 7, 2008 8:26 AMDoes perl work for ~/andrew? You have ExecCGI set for /home/andrew/public_html and not /home/*/public_html:
<Directory "/home/andrew/public_html">
Options Indexes FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Are permissions set to 755 so that the http user can run them? Have you checked apache's error log?
edit: fixed quote
Last edited by juster (2009-12-12 18:56:40) -
Solaris 11 ssh ControlMaster support?
I am trying to run use "net::openssh" perl script, which is using ssh multiplexing i.e. ControlMaster, and I am getting an error illegal option -- M..., is there any way to turn on multiplexing on Solaris 11 in the ssh client, or we are forcd to compile from source?
perl script used
#!/bin/perl -w
use Net::OpenSSH;
my $ssh = Net::OpenSSH->new(
host,
ssh_cmd => '/bin/ssh',
timeout => 10,
user => user,
password => passwd
my @cmd = (ls => '-a');
$ssh->system(@cmd);
The script returns the errors below.
/bin/ssh: illegal option -- M
/bin/ssh: illegal option -- S
ssh: illegal option -- M
Usage: ssh [options] host [command]
Options:
Thnaks,
Eliunfortunately I didn't find any workaround, Solaris SSH is an old fork of openssh and dose not support the multithreading option. I cant comment on your Solaris 11 > Linux environment, most of our environment's where migrated from 10 to 11.1, and all I can say is Solaris rocks, features you find in Solaris you can find on any other OS in the market just to name a few ZFS, BE, IPS, FMA, SMF, etc..
Thnaks,
Eli -
Can JMQ 2.0 work through a firewall?
We are interested in using JMQ for B2B communication for messages to be sent
through firewalls from one enterprise to another. Does JMQ 1.1 support this or
does JMQ 2.0? If JMQ 2.0 is the only option, can you please specify when it
will be released, as of now it is only in beta version? I would appreciate your
prompt response as we are in the process of evaluating each vendor.JMQ 1.1 only supports a TCP based transport, and could only work across a firewall
if that fiewall was specially configured to let the communication through. JMQ 2.0
will support use of HTTP as a transport, and this will eliminate the need for
special administration for any firewall that will naturally allow HTTP through. JMQ
2.0 is in Beta now, and is scheduled to be available as an FCS product early in
Q2CY01. -
Need to browse solaris directory structure through windows (JFileChooser).
Is there any way or any external API exist through which we can access the solaris/unix directory structure from windows through JFileChooser.
johndjr wrote:
I assumed it did and then and it wasn't until after you asked that I questioned my self as to whether I knew that or I just thought I knew it. After a brief check it seems that it does
[some anecdotal evidence|http://wikis.sun.com/display/BigAdmin/Enabling+Browsing+with+Samba+in+Solaris+10+Update+4]
I lucked out this time.Nifty - thanks for the link! -
WMI query through ASA Firewall
I'm a newbie - please be patient
We have an ASA firewall that has several DMZ VLANs.
A support company that responsible for the SQL Servers wants to use WMI to query server health.
Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
What are everyone’s thoughts on opening up such a large range?
Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
Thanks
PS - if this has already been asked can someone point me to the discussionsHi
I would say that that is a No No
But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
WMI is a bit tough on firewalls.
But there are ways to limit the ports used by WMI
fx you can set it to use Fixed ports. and so on.
Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
Here is a link to solarwinds for people with the same problem.and an answer that seems to work
(i have not tested this) from ASH J Kent. (almost at the bottom)
http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/
Here is one from MSDN
http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
Good luck
HTH
Maybe you are looking for
-
Audio out from FCE HD to USB audio iMic
I use my Sys Prefs to set my audio out to a USB audio device (iMic), and all of my audio goes there EXCEPT for FCE HD 3.0 which insists on using the Mac Line Out... Any way to change this?
-
Displaying the file name in a slide show?
In a Lightroom slide show, how do I display the filename with each image?
-
Tecra 9100: Dying motherboard/HDD
I have been experiencing intermittant problems with my 9100 for about two weeks. The latest symptoms are: 1. I/O Channel message when switching on. 2. If I get into boot sequence the PC hangs, 3. If I manage to start Windows (2k) it promptly craches
-
Huge data upload to custom table
I created a custom table and the requirement is to load huge data to this table around 20million records. I have input file with 1million records. After loading few files, I got error max extents 300 is reached. We talked to basis and they increased
-
The Option Window in Firefox is incomplete. It only shows General, Tabs, Content, Applications, Privacy, Security, Sync The Advanced Tab is not showing and the Browse button to change download location is missing also.