SSH port forwarding
can i declare port forwerd fix for an specifie client into ssh server?? mean when this client or this machine demand port i request the port 555 only not random one as in tlenet ftp
Has an answer to this been found yet? I'm getting the same error but over different ports. Granted, I don't use the -L option; I opted to put everything in ~/.ssh/config instead so that I don't have to type it every time I connect.
Similar Messages
-
Ssh Port Forwarding Stopped Working
I have used ssh port forwarding in the past, and it has come in handy.
I have recently upgraded to Mavericks, but it does appear that my ssh port forwarding stopped some time before this. The last time I know it worked was 5/14/14, and feel it has worked more recently as well.
Here's what I do, from my Mac I ssh to my work jump server (port 22, let's say its IP is 11.22.33.44), and my jump server has access to work PC (lets say IP of 10.1.2.3). My work PC has RDP running on it on the common port 3389. I have verified that I can set up a working RDP session at work from another box. Also, I know that my jump server can get to my PC at work as I can ping my work IP if I just ssh straight to my jump server. And I know that there is no firewall stopping me from the jump server as I can also open a telnet session to my work PC on port 3389, without errors.
So, here's how I have done it in the past and it has worked, but now recently stopped working in Terminal app:
ssh -f [email protected] -L 3388:10.1.2.3:3389 -Nnv
The verbose logging shows that it sets up connectivity. If I then look to see if my local port is listening I can type:
netstat -an | grep 127.0
I will note that port 3387 is in fact LISTENing and waiting for connection
I then start my RDP client app, and start a session to "localhost:3387" (I could also use "127.0.0.1:3387", and have, but it does not work either). My RDP client eventually times out. I have turned my firewall off and on, neither way works.
Does anyone know why this may have stopped working?
Your input is most appreciated.
The verbose log shows the following is setup appropriately (with noted modifications to server names and actual IPs):
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to somewhere.net ([11.22.33.44]:22).
debug1: Local connections to localhost:3387 forwarded to remote address 10.1.2.3:3389
debug1: Local forwarding listening on 127.0.0.1 port 3387.Unfortunately I don't have another device to test if RDP is working on my LAN, however, when I check out my network connections and this is what I see after setting up the ssh tunnel and prior to attempting the RDP connection (again names protected):
my-rmbp:~ me2$ netstat -an | grep 127.0
tcp4 0 0 127.0.0.1.3387 *.* LISTEN
Then, as it is difficult to catch in the middle of TCP 3-way handshaking, here's what happens after an attempt with the RDP client while it sits and spins:
my-rmbp:~ me2$ netstat -an | grep 127.0
tcp4 0 0 127.0.0.1.3387 127.0.0.1.50323 FIN_WAIT_2
tcp4 0 0 127.0.0.1.50323 127.0.0.1.3387 CLOSE_WAIT
tcp4 0 0 127.0.0.1.3387 *.* LISTEN
You can clearly see it's attempting to make a connection over the tunnel via my RDP client, but it's being shut down right away. I will obtain a WireShark packet capture and see exactly what's happening. Oh, and if I tried to RDP to a port other than the one I set up the port forwarding tunnel with, RDP would disconnect right away.
What I'm most interested in is why, without any known changes, other than OS updates, did this work a few months ago, and now it does not?
I have also tried other test ssh port forwarding, such as to www.apple.com forwarding 8080 on localhost to 80, and others, and none of those work either with web browsers, I assume this is something Apple has done to disable ssh port forwarding/tunneling. Perhaps someone else has bumped into this and found a fix? Please share!
Also, I have heard that you have to be root in order to set up port forwarding, but clearly this is not accurate, as it worked before, and also as you can see above it worked without root. But I tried both ways, and sadly neither worked.
Could it by my jump server? Possibly, but others at work do this and it works just fine for them from their Windoze PCs. So can't be that either.
Perhaps my capture will tell me, I'll report back here with what I discover. Thanks in advance! -
Combo unix ssh port forwarding + iChatAV + Bonjour question
I don't know which forum is best for this question, so thought I'd try here first.
I've been tossing around the idea of picking up a couple of iSights and running iChatAV. Problem is, if I understand this correctly, iChatAV uses a couple of ports for connections to third-party servers: AOL buddy server or Jabber server, a port for something called snatmap, a port for SIP, and some other stuff. Plus, it requires that you open up nearly 20 ports on your network for the AV traffic! (I get nervous just having my non-standard ports for smtp and ssh open, and my imaps port open (which is another issue -- anybody know how to change imaps port 993 to a non-standard port if running uw-imap server?) It doesn't look like iChatAV can, normally, operate by "calling up" an IP address or hostname...it always has to set up calls using AOL or Jabber...unless, perhaps, the destination iSight/iChatAV is on your own Bonjour-capable subnet.
So, I'm thinking, what if a calling party created a ssh tunnel and port-forwarded the dozens of UDP and couple of TCP ports over a ssh tunnel, as a lengthy list of port forward options like "-L 5297:localhost:5297 -L ...", (assuming that the forwarding host, to whom the caller ssh's, is the same computer that is running iChatAV, hence, the remote host specification in the "-L" option of "localhost"). Would the caller then be able to treat the connection like Bonjour networking and when he calls localhost on his end of the circuit, it "bonjours" to the called hostname's localhost and thus a peer-to-peer connection would be made?
Or perhaps a reverse port forward tunnel ("-R" options) could be set up in advance by the "to-be-called" party, and then the calling party initiates a iChatAV call as a "same-subnet-as-calling-computer-via-Bonjour" type of call?
I'm just kicking around some thoughts here; I don't know enough about the intricacies of iChatAV and Bonjour (and ssh) to really know all the "gotchas" and I'd like to get the planning done with a high degree of confidence of success before I plunk out $300 on two iSights.
If the general concensus of the group moderator and others on this forum is that this question should be posted in another forum, I apologize, and I'll move, but I thought that the ssh tunneling nature of my inquiry (and my unrelated side question about how to change 993 to a non-standard port) made this forum the obvious, and best, choice.
Thanks in advance for any thoughts on these issues!
2001 Quicksilver G4 Mac OS X (10.4.5)No, you can't do what you describe. You have to use port forwarding on the router for any incoming connections, and each port forward rule can only map to a single server/service.
However, SSH has the ability to tunnel other connections, so it may be possible to remove one or more of the existing port forwarding rules and replace them with a SSH rule, then use SSH tunneling to get to those services. Of course, this will only work for services that only you (or other authorized users) need to access, and not public services such as web/http traffic (assuming you're running a public web site).
The only other option would be to replace your router with one that doesn't have such a strict limit on the number of port forwarding rules. -
WRV210 port forwarding only works on http!!!
I'm trying to use SSH port forwarding, and VNC on the future.
Right now the only one that is working is http. I have enable both HTTP and SSH over two different PCs, and only the http one is working.
We already have version 2.0.0.11. Also tried DMZ the second PC and didn't work.
I hear about to use DHCP, and then I defined the second PC mac on the table, and still didn't worked.
Any idea of what is going on with this equipment.
Carlos AlperinIf you enter the IP address on this page http://www.whatismyip.com/ip-tools/ip-whois-lookup/
you can see who it belongs to.
But I suspect that its something within your router that is returning the wrong WAN address. Do you have an ADSL connection, or an Infinity connection?
Yo may have difficulty connecting to your own external WAN address from within your own network, unless your router has NAT loopback enabled.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Difference Between Port Forwarding and Port Triggering.
Hi guys,
I'm lost! The differences between port forwarding and port triggering is driving me nuts! It all seems very subtle to me. Can anyone explain to me (in a very simple way) what exactly are their differences. Thanks in advance!!Port Forwarding
The big difference between this and port triggering is that forwarding is fixed.. you forward a port and it is always forwarded.. IE available to connection.. basically the forwarded port is excluded from the fire walling abilities of the router. Second it is static and applies to one machine only. Whereas you could set port triggering to the router and thereafter any machine on the LAN can trigger it unless its already in use.. port forwarding must be specified for each individual machine.
Port forwarding requires you to give each PC on the network its own unique static IP address.. Although there is ssh port forwarding that can be set dynamically. Most users only have the option of static ip port forwarding.
The real downside of port forwarding is that it can be very tricky to set up... You may have to allow a series of ports on a machine and have to do that for each machine you want to allow through. Also routers often have limited abilities and may not allow you the ability to forward a port or select the service you require.
Port Triggering
This is a way of Dynamically assigning a service to a port WHEN it is required by an outgoing service. The port is initially not allowed so nothing can get in and you are protected by your network.
A good example of this is when using Yahoo! voice .. the voice works fine for a few minutes after you connect to Yahoo! then Yahoo! sends some kind of packet that requires a response from your PC... The packet is allowed in through your router no prob but the outgoing reply is not authorized to open a port on the router and is thus blocked.
'ope this helps -
Nginx client_ip in log file, with ssh -R Port forwarding
Hi, everyone!
First, I run a nginx server M1 (in my offce) behind a router R1 and M1's IP addr is 192.168.5.126. I set nginx's log format like this:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
After that, I will get the correct client ip in the access log.
192.168.5.88 - - [21/Apr/2015:11:12:47 +0800] "GET /js/date.js HTTP/1.1" 200 403 "http://192.168.5.126/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-"
Then, I want to visit M1 outside (in the campus) . Unfortunately, I can do nothing with the router R1. But I have a router R2 whose framework is OpenWrt and its IP 222.xx.xx.xx can be visited by anyone who has logged into the campus network.
Then I wrote a autossh service to do that:
[Unit]
Description=AutoSSH service for local port 80 forwarded to 222.xx.xx.xx:80
# place this in /etc/systemd/system/, than enable this.
After=network.target
Requires=nginx.service
After=nginx.service
[Service]
Environment="AUTOSSH_GATETIME=0" "AUTOSSH_POLL=60" "AUTOSSH_LOGFILE=/var/log/nginxssh.log"
ExecStart=/usr/bin/autossh -M 22000 -NR 222.xx.xx.xx:808:localhost:808 -NR 222.xx.xx.xx:80:localhost:80 -o TCPKeepAlive=yes -p xxxx [email protected] -i /home/username/.ssh/id_rsa
[Install]
WantedBy=multi-user.target
Yeah, It works! BUT BUT when someone visits 222.xx.xx.xx, I lost the the client ip in nginx log file. That would always be 127.0.0.1, why?
127.0.0.1 - - [27/Apr/2015:00:34:07 +0800] "GET /static/mathjax/MathJax.js?config=TeX-AMS_HTML HTTP/1.1" 304 0 "http://222.xx.xx.xx:808/url/jakevdp.github.com/downloads/notebooks/XKCD_plots.ipynb" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:37.0) Gecko/20100101 Firefox/37.0" "-"
After ``ssh -R Port forwarding``, client ip is lost?
If so, what should I use to replace ``ssh -R``?
Last edited by limser (2015-05-04 12:39:18)It seems there is a port forwarding configuration trouble with you modem.
When you access from the WAN or from the LAN, you don't enter in you modem the same way, so the behavior is different.
It seems that the port 22 of your modem is not directly forwarded to your server. The modem itself asks you a login/password. The key-pair authentification is between laptop and server. The modem itself is not recognized during this authentification.
Don't touch your ssh-config. It's OK since it was working for monthes before you change your modem. -
Port forwarding, NAT, SSH and Transmission.
A couple of days ago I decided to setup the Transmission daemon, along with automatization for my downloads. Recently, however, to put a layer of security around my laptop, I set up a wireless router I had lying around that is now connected with a wire to my laptop. The reason for this is that I have no idea how iptables work yet, and until then I decided this will suffice for the moment. One of the problems though (yes, problems seems to come in twenty-fold where my luck is concerned), is that when I rewire my laptop directly to the internet, without the router, NetworkManager or Archlinux doesn't reset the ip address, which for some reason jumps to 192.168.1.122, which it never uses otherwise. I haven't yet tried reinstalling networkmanager, but when I did turn it off, dhcpdcd assigned the same address... The problem here being that it shouldn't assign a LAN-address, I'm directly connected to the internet. Sidenote here though; my internet connection is just a plug in the wall, the operators here (I live on a kind of campus), probably only use a network-switch to relay the traffic to the socket.
That's that, my wired network doesn't work directly, only via the wireless router, wired or wireless. Because of this, I have to use port-forwarding for SSH (to test if the port forwarding works), and the Transmission daemon with an rcmp port of 9091., which was my intention in the first place. I have no idea if logging into my.ip.address.here:9091 in a browser would work, I just used localhost:9091.
Now for the results:
$ nmap -sT xx.xxx.xx.xx
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-14 19:42 CEST
Nmap scan report for xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Host is up (0.038s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
9091/tcp filtered unknown
Here it shows that the ports are actually not closed, but they're not exactly opened either, from what I gathered from the internet.
SSH shows the true problem:
$ ssh neal@xxxxxxxx
ssh: connect to host xxxxxxxx port 22: Connection timed out
SSH-ing to 192.168.0.102 (my internal ip) works, as does to localhost, same for Transmission webGUI. Before I used port-forwarding ssh would correctly say that it couldn't get traffic from the router.
My router is a cheap solution to another problem I had, but it should work like any router. It's a Sitecom WL-607. I disabled login authentication for the moment. Also, there is no filtering going on in the firewall. Like I said earlier, I don't get iptables, so that's not being used. The hosts file allows all and denies nothing.
TLDR version; I'm using port-forwarding on my Sitecom WL-607, but all ports except http and the 53 port are being blocked.
Is there something I'm missing here?
Thanks in advance,
Neal van Veen.by default, all routers assign there clients an ip address from there internal pool of addresses, your wireless router is assigning you that address and then NAT's the connection with the WAN side, but even after directly plugging in to the wall socket you still dont get a new ip address, use dhcpcd <mydev> in terminal to reresh dhcp lease. if not then your campus/location/etc may also be using NAT on there own side.
as for the ports, iptables doesnt block any traffic by default, it allows everything. if there is filtering, it is from your wireless router.
on the above ssh and nmap scans, did u use your lan ip, or your public ip. -
WRVS4400n port forwarding (SSH access)
I have a WRVS4400n and a CentOS server that I need to enable a SSH access to from WAN.
I created a single port forward rule to open port 22 and forward to server (which address is 192.168.41.3)
However ssh connect doesn't happen, the command "ssh user@{external_IP}" times out after 20 seconds.
Wondering why...
If I connect my server directly to modem through outside interface - I have no problems connecting to it. Once it's behind router - no luck.
I even added same rule for UDP, not sure if it's needed, but it definitely didn't hepl.
The router is on firmware version 2.0.1.3, version on a bottom is 2.
Any suggestions?Hi Randy Manthey, Thanks for quick response. The server has 2 interfaces: eth0 (outside, WAN) currently down. When it was up it had a static IP, default gateway and mask assigned by ISP. It was plugged into the cable modem at that time, it was accessible. eth1 (inside, LAN), up, address 192.168.41.3, default gateway 192.168.41.1 (which is above mentioned Cisco router WRVS4400n). It can ping all machines on LAN, including gateway. It is accessible to all machines on LAN and can be pinged by the Cisco router. It CANNOT ping any IP address on WAN (I understand this is because eth0 is down). Let me know if you need any other info. Thank you.
Edit: I got home (the router is in one of my offices) and scanned the router with nmap:
nmap -v -sT -PN XXX.YYY.ZZZ.88
Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 23:24 EDT
Initiating Parallel DNS resolution of 1 host. at 23:24
Completed Parallel DNS resolution of 1 host. at 23:24, 0.04s elapsed
Initiating Connect Scan at 23:24
Scanning wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88) [1000 ports]
Discovered open port 8080/tcp on XXX.YYY.ZZZ.88
Completed Connect Scan at 23:24, 6.06s elapsed (1000 total ports)
Nmap scan report for wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88)
Host is up (0.033s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
8080/tcp open http-proxy
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.14 seconds
Port 8080 - is a port for remoute router administration. -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
How to IPsec site to site vpn port forwarding to remote site?
Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.134.49
lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
ThaiIs there anyone can help please?
-
How do I do port forwarding on my airport extreme for my IP camera (foscam)?
Hi,
I've been working on this for what seems like a week. I purchased a wireless security camera to put in my house and to see from my laptop (or IPAD2) when I'm away. I am able to see it from either device when I'm here at home, but not when I'm out on the road.
According to the instructions for a mac setup, I needed to set up a DDNS service and get a free account at DynDNS, which I did. They also told me to use a different port than 80, suggesting 8081 as the http port which I plugged in to the camera device setting.. The next step is to do PORT FORWARDING and then I should be able to use my DDNS domain name and port number to login to my camera anywhere...
I'm stuck in how to do this with my airport extreme. I see where I have to go into utilities and click on airport utility, and then manual set-up..
Right now when I click on the Internet tab at the top I see the connection sharing is off (Bridge Mode), and that I have to change it to share a public IP address to get DHCP and NAT to appear in the tabs..
when I go to NAT, the box for enable NAT port mapping protocol is checked and then there is a tab I can click on that says Configure Port Mapping.
I know that I'm supposed to click the plus button + to enter a service and a port and here's where I get stuck
when I click the + button I can either click on the choose a service tab, which then drops down a list of services like Personal File Sharing, Window Sharing, Personal Web Sharing, Remote Login SSH , etc, or just keep it where it says choose a service and not choose one of the services.
Then there are some boxes to fill in for Public UDP Port(s), Public TCP Port(s), PRIVATE IP address-where the only numbers I can change are the last ones and I don't know if I'm supposed to put the IP address of the camera or what? and then the boxes for Public UDP and PUBLIC TCP.
I tried a few times to fill out the port numbers to 8081 (the one I selected for the IP camera) but I don't know what to do for the private IP address. When I changed the last numbers to the IP address of my camera, and went to update, it told me that I had to correct the 2 problems before updating:
DHCP beginning address, and dhcp ending address...as the DHCP range you have entered conflicts with the WAN IP address of your Airport wireless device. So I cancel and am stuck.
Sorry this is so long.. but I really can't get anyone to help me figure this out.. The camera company isn't answering ..
Thanks!!
BarryThanks for the info. I checked the model number on the Westell site to get info on the device. From Westell's info.....
1. Product Description
This ADSL modem is a NAT router with a four port 10/100BaseT Ethernet switch, a USB port and 802.11g wireless interface.
So, while you might refer to it as a "modem" ( a modem will only have one Ethernet port), you have a router or gateway. A gateway is simply a modem and router in the same box.
With the AirPort Extreme, you have 2 routers on the network. Basic networking rules dictate that when there are 2 routers, the first....your Westell.....must handlde DHCP and NAT, and the second router....in this case the AirPort Extreme....must be configured to operate in Bridge Mode so that it will function correctly on the network. That's why the AirPort Extreme is in Bridge Mode. That is the correct setting on your network.
That's also why you were getting the error messages when you tried to configure the Extreme as a second router.
As I mentioned before, any port mapping or port forwarding is going to have to be set up on the "main" router....your Westell. It cannot be set up on the AirPort Extreme. -
Ssh X11 forwarding takes too long to start any app. remotely
Hi,
I have a bizzare problem with %subject% for some time already.
Affected are all my Arch linux installations (all with: systemd, openbox (without Display Manager), and latest updates):
1. home desktop (core 2 duo, 2.4GHz, 3GB RAM).
2. one testing desktop in virtualbox on the desktop from prev. point.
3. work laptop (Intel Core i5, 4GB RAM).
All of these are connected via cable to the same home network 100MB router (using openwrt on asus wl-500g).
Normal ssh transmissions, like entering commands, or transfer of data via scp (even large amount of data for testing purposes because of this) works quick like expected.
The problem is, that if I try to start app. remotely via ssh X forwarding from and to any of these (affected also bidirectional), it takes always aprox. 2 minutes to start the app.
Afterwards, it works fast and fine.
Doesn't change anything, whether the X server is running on the server's side or not.
Have been testing it with some lightweight apps too, but makes no difference if it's e.g. mousepad, gedit, thunderbird, always the same 2 min. delay at their start.
Also, some time ago, I had an older (more than 10 years) laptop, also with Arch installed, using LXDE, and connected via wifi to this same router, which worked perfectly without any delay. Also the same time ago, I was yet running Ubuntu on the home desktop, when I installed Arch to the virtualbox mentioned in point 2, and the problem was already present on the virtual pc, but not on the Ubuntu or the older laptop with Arch I had before.
Later, when I switched home desktop to Arch (or I got new laptop in the work), the issue appeared instantly on the new Arch installations.
The sshd configuration is the basic from the package, with X forwarding enabled of course, thus no strange changes of mine.
I monitored the ssh communications with tcpdump, not to read the encrypted data itself , but to see whether the data is flowing, and there are flow outages (absolute quiet except of below mentioned exceptions) in the mentioned 2 minutes duration till app. startup:
- after ssh authentication, there is about 1 minute silence, when after this 1st minute some few data is flowing
- next, there is another 1 minute silence, after which the app. finally starts
I've also gathered ssh debugging informations, from both, server (where I'm connecting and trying to start app. remotely) and client, with description when waiting has been detected.
server:
/usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 501
debug2: parse_server_config: config /etc/ssh/sshd_config len 501
debug3: /etc/ssh/sshd_config:15 setting ListenAddress 0.0.0.0
debug3: /etc/ssh/sshd_config:16 setting ListenAddress ::
debug3: /etc/ssh/sshd_config:35 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:42 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:52 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:68 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:92 setting UsePAM yes
debug3: /etc/ssh/sshd_config:94 setting AllowAgentForwarding yes
debug3: /etc/ssh/sshd_config:95 setting AllowTcpForwarding yes
debug3: /etc/ssh/sshd_config:97 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:98 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:99 setting X11UseLocalhost yes
debug3: /etc/ssh/sshd_config:104 setting UsePrivilegeSeparation sandbox
debug3: /etc/ssh/sshd_config:106 setting Compression delayed
debug3: /etc/ssh/sshd_config:109 setting UseDNS no
debug3: /etc/ssh/sshd_config:120 setting Subsystem sftp /usr/lib/ssh/sftp-server
debug1: sshd version OpenSSH_6.1p1
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 501
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from CLIENT_IP port 43333
debug1: Client protocol version 2.0; client software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 6379
debug3: preauth child monitor started
debug3: privsep user:group 99:99 [preauth]
debug1: permanently_set_uid: 99/99 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,[email protected] [preauth]
debug2: kex_parse_kexinit: none,[email protected] [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
debug2: kex_parse_kexinit: reserved 0 [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
debug2: kex_parse_kexinit: reserved 0 [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 5 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x13e3f80(100)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user USERNAME service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 501
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug2: input_userauth_request: setting up authctxt for USERNAME [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 45 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "USERNAME"
debug1: PAM: setting PAM_RHOST to "CLIENT_IP"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 3 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug1: userauth-request for user USERNAME service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 20 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 21 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x13e1e20
debug1: temporarily_use_uid: 1000/100 (e=0/0)
debug1: trying public key file /home/USERNAME/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/USERNAME/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for USERNAME from CLIENT_IP port 43333 ssh2
debug3: mm_answer_keyallowed: key 0x13e1e20 is not allowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss [preauth]
debug1: userauth-request for user USERNAME service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 10 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 11 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for USERNAME
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 11
debug3: mm_request_receive_expect entering: type 46
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 47
Accepted password for USERNAME from CLIENT_IP port 43333 ssh2
debug3: mm_auth_password: user authenticated [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 46 [preauth]
debug3: mm_request_receive_expect entering: type 47 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug3: mm_send_keystate: Sending new keys: 0x13e1c40 0x13e34c0 [preauth]
debug3: mm_newkeys_to_blob: converting 0x13e1c40 [preauth]
debug3: mm_newkeys_to_blob: converting 0x13e34c0 [preauth]
debug3: mm_send_keystate: New keys have been sent [preauth]
debug3: mm_send_keystate: Sending compression state [preauth]
debug3: mm_request_send entering: type 24 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: USERNAME has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 24
debug3: mm_request_receive entering
debug3: mm_newkeys_from_blob: 0x13f3b20(122)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x13f3b20(122)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug3: ssh_sandbox_parent_finish: finished
debug1: PAM: establishing credentials
debug3: PAM: opening session
User child is on pid 6387
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1000/100
debug2: set_newkeys: mode 0
debug2: set_newkeys: mode 1
debug1: Entering interactive session for SSH2.
debug2: fd 7 setting O_NONBLOCK
debug2: fd 9 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email protected] want_reply 0
debug1: server_input_channel_req: channel 0 request x11-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug3: sock_set_v6only: set socket 10 IPV6_V6ONLY
debug2: fd 10 setting O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 1: new [X11 inet listener]
debug2: fd 11 setting O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request exec reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req exec
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: fd 14 setting O_NONBLOCK
debug2: fd 13 setting O_NONBLOCK
debug2: fd 16 setting O_NONBLOCK
debug2: channel 0: read 210 from efd 16
debug2: channel 0: rwin 2097152 elen 210 euse 1
debug2: channel 0: sent ext data 210
debug2: channel 0: read 380 from efd 16
debug2: channel 0: rwin 2096942 elen 380 euse 1
debug2: channel 0: sent ext data 380
debug2: channel 0: read 121 from efd 16
debug2: channel 0: rwin 2096562 elen 121 euse 1
debug2: channel 0: sent ext data 121
### Here started the waiting on the server's side, and continued later till the start of app.:
debug1: X11 connection requested.
debug2: fd 12 setting TCP_NODELAY
debug2: fd 12 setting O_NONBLOCK
debug3: fd 12 is O_NONBLOCK
debug1: channel 3: new [X11 connection from 127.0.0.1 port 46968]
debug2: channel 3: open confirm rwindow 2097152 rmax 16384
debug2: channel 0: read 62 from efd 16
debug2: channel 0: rwin 2096441 elen 62 euse 1
debug2: channel 0: sent ext data 62
debug1: X11 connection requested.
debug2: fd 15 setting TCP_NODELAY
debug2: fd 15 setting O_NONBLOCK
debug3: fd 15 is O_NONBLOCK
debug1: channel 4: new [X11 connection from 127.0.0.1 port 46972]
debug2: channel 4: open confirm rwindow 2097152 rmax 16384
debug2: channel 3: rcvd adjust 51268
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 32768
debug2: channel 3: rcvd adjust 147456
debug2: channel 3: rcvd adjust 55788
debug2: channel 3: window 32740 sent adjust 32796
client:
ssh -Xvvv USERNAME@SERVER_IP mousepad
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to SERVER_IP [SERVER_IP] port 22.
debug1: Connection established.
debug1: identity file /home/USERNAME/.ssh/id_rsa type -1
debug1: identity file /home/USERNAME/.ssh/id_rsa-cert type -1
debug1: identity file /home/USERNAME/.ssh/id_dsa type 2
debug1: identity file /home/USERNAME/.ssh/id_dsa-cert type -1
debug1: identity file /home/USERNAME/.ssh/id_ecdsa type -1
debug1: identity file /home/USERNAME/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "SERVER_IP" from file "/home/USERNAME/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/USERNAME/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ABC123...
debug3: load_hostkeys: loading entries for host "SERVER_IP" from file "/home/USERNAME/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/USERNAME/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'SERVER_IP' is known and matches the ECDSA host key.
debug1: Found key in /home/USERNAME/.ssh/known_hosts:4
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/USERNAME/.ssh/id_rsa ((nil))
debug2: key: /home/USERNAME/.ssh/id_dsa (0x)
debug2: key: /home/USERNAME/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/USERNAME/.ssh/id_rsa
debug3: no such identity: /home/USERNAME/.ssh/id_rsa
debug1: Offering DSA public key: /home/USERNAME/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USERNAME/.ssh/id_ecdsa
debug3: no such identity: /home/USERNAME/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USERNAME@SERVER_IP's password:
debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to SERVER_IP ([SERVER_IP]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-mHE6faU7YJF2/xauthfile generate :0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-mHE6faU7YJF2/xauthfile list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug1: Sending command: mousepad
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
### After successful authentication, here above started the first waiting, where after first 1 min. continued with:
debug2: channel 0: rcvd ext data 210
debug2: channel 0: rcvd ext data 380
debug2: channel 0: rcvd ext data 121
debug3: Copy environment: XDG_SESSION_COOKIE=0d937ee20c7e42bdbf828421a30eaa2f-1357144247.348263-1841400888
debug3: Copy environment: XDG_SESSION_ID=5
debug3: Copy environment: XDG_RUNTIME_DIR=/run/user/1000
debug2: channel 0: written 711 to efd 6
### After another 1 min. continued with + started the app.
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 46968
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: channel 0: rcvd ext data 62
Xlib: extension "RANDR" missing on display "localhost:10.0".
debug2: channel 0: written 62 to efd 6
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 46972
debug2: fd 8 setting O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug1: channel 2: new [x11]
debug1: confirm x11
debug2: channel 1: window 2045884 sent adjust 51268
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 32768
debug2: channel 1: window 1949696 sent adjust 147456
debug2: channel 1: window 2041364 sent adjust 55788
debug2: channel 1: rcvd adjust 32796
debug1: client_input_channel_open: ctype x11 rchan 5 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 46974
debug2: fd 9 setting O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 3: new [x11]
debug1: confirm x11
debug2: channel 1: rcvd adjust 32800
It's quite strange, as I have no more ideas what to check next.
Any ideas pls?
thx in advance.Have finally found a solution for this problem: http://serverfault.com/questions/490352 … w-to-start
Now the applications do start immediately via SSH X11 forwarding as expected.
The following three lines helped:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A FORWARD -i lo -o lo -j ACCEPT
While until now, all ip6 traffic has been forbidden (to drop all ip6 traffic) at the start of the system of course.
Nevertheless, I don't understand it, why the ip6 localhost has to be granted this way even if the /etc/ssh/sshd_config is configured for ip4 only "AddressFamily inet"?
I thought, that this way the sshd will be using ip4 protocol only (including for the X11 forwarding), then why does it still need the ip6? -
Port Forward in Cisco series 800
Dear Support
below the configuration of Cisco Series 800 Router that Has VDSL port of internet , the configuration as below :
i add three command
what is required in order to make port forward
ip nat inside source static tcp 8000 10.10.10.10 8000 dilar 0
ip nat inside source static tcp 554 10.10.10.10 554 dilar 0
ip access list extended 100
permit ip any any
what is required to make port forward to the local ip address 10.10.10.10 from outside interface that is VDSL port ?
! Last configuration change at 10:47:44 KSA Wed Apr 22 2015 by aamalsup
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
hostname AamalNet
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret level 2 5 $1$Y4PF$K6TQ5wf0gcHiO5IxvLZba0
enable secret level 5 5 $1$WZeO$BzTCl0C0e1078CWxExJK0/
enable secret 5 $1$plq6$P5HVL/tR81cs0GFDrD.0V/
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone KSA 3 0
crypto pki trustpoint TP-self-signed-1682106276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1682106276
revocation-check none
rsakeypair TP-self-signed-1682106276
crypto pki certificate chain TP-self-signed-1682106276
certificate self-signed 02
30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363832 31303632 3736301E 170D3032 30333031 30303038
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383231
30363237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2F3 49897460 71FEB259 7794B7C6 D398958A 2D338F0F C69F0E75 1137B16C
C261A275 8416DAF6 FC19AA6E 50024019 66CE4DB8 3AFAB6FE CE892B42 86A93490
97259E47 D740B2F4 9AA2D307 7B676841 2CAAA879 D945A6FD 717B507F 77399332
1644CEDE 884BF133 ACFBBC80 9869A104 54CC3EEE 9D521378 EC762D86 C3F0ABC9
CA990203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18417761 6C416D61 6C792E61 77616C6E 65742E6E 65742E73
61301F06 03551D23 04183016 80149ADD A651C9F9 F8369354 5C904777 090FEB75
72E0301D 0603551D 0E041604 149ADDA6 51C9F9F8 3693545C 90477709 0FEB7572
E0300D06 092A8648 86F70D01 01040500 03818100 50ACCA98 1A5FCCAD FC61D703
A8589B02 AFB8CD47 BD1CC7B0 B095C97F AA0604A8 F8495053 C8A9CBB9 644F5674
318A7AA0 873250AD 1DE28CE2 BE21ED19 BF212CF7 E2A97CFB FFA62F1E 643CEDFE
90D02109 719FD4D3 98E6C40B D61CE89C D2426C1E 3CBD9FBE 397F7F7C F1DD279E
14F8BB2D ABFA784B 6E04274B EDCBFC8F A805E91D
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.11.1
ip dhcp pool lan
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
ip dhcp pool wireless
import all
network 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
no ip domain lookup
ip domain name aamal.net.sa
ip name-server 212.93.192.4
ip name-server 212.93.192.5
no ipv6 cef
cwmp agent
enable download
enable
session retry limit 10
management server password 7 094D4308151612001D05072F
management server url http://aamalservice.aamal.net.sa:9090
license udi pid C887VA-W-E-K9 sn FCZ17459018
archive
log config
hidekeys
username k privilege 15 password 7 020D
username admin privilege 15 password 7 14161606050A
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group aamalnet
key aamalnet
dns 212.93.192.4 212.93.192.5
include-local-lan
dhcp server 10.10.10.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group aamalnet
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Vlan2
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 0007145E2E5A05522E1858
no cdp enable
interface BVI2
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 212.93.196.0 0.0.0.255
access-list 23 permit 212.93.192.0 0.0.0.255
access-list 23 permit 212.93.193.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
snmp-server community private RW
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
privilege interface level 5 encapsulation
privilege interface level 5 description
privilege interface level 5 no encapsulation
privilege interface level 5 no description
privilege interface level 5 no
privilege configure level 5 ip route
privilege configure level 5 interface
privilege configure level 5 controller
privilege configure level 5 ip
privilege exec level 5 copy running-config tftp
privilege exec level 5 copy running-config
privilege exec level 5 copy
privilege exec level 5 write memory
privilege exec level 5 write
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show processes cpu
privilege exec level 5 show processes
privilege exec level 2 show running-config
privilege exec level 5 show configuration
privilege exec level 2 show
privilege exec level 5 clear counters
privilege exec level 5 clear
banner exec
CC
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
banner login
CC
********STC AamalNet Service****************************************
********Authorize Access Only. For more Support Call 909************
line con 0
privilege level 15
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 23 in
privilege level 2
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 20000 1000
endHello,
Sure.
What version are you running?
Regards, -
Hi,
I am new to Solaris and am trying to set up a simple port forwarding from port 80 to 8080.
I know how to do this in Linux:
iptables -t nat -I PREROUTING -p tcp dport 80 -j REDIRECT to-port 8080
but cannot find a way to do this in Solaris. I have installed SunScreen, but am not sure whether this is the right thing to use.
This is a simple server in a hosting centre.
Can anyone help?In solaris you can do port forwarding with ssh . You have to install SSH from soalris 2 of 2 CD .
see man pages of ssh
Regards
Maybe you are looking for
-
I am working as web developer in india...One of my cient need this for his website... Awaiting for valuable replay
-
Rev. Recog:Field Trans.Type is a required field for G/L account 1000 401016
Dear All, I have encountered with following error while run Revenue Recognition. Error Log Field Trans.Type is a required field for G/L account 1000 401016 Long Text Detail Diagnosis The value for field "Trans.Type" in the interface to Fina
-
How do i create *if (Key.isDown(Key.LEFT)* allow two buttons
I got this code if (Key.isDown(Key.LEFT) && Math.abs(this["speed"+who])>0.3) { _root["car"+who]._rotation -= _root.rotationStep2*(this["speed"+who]/_root.maxSpeed); How do i allow it to have SPACE key and LEFT you probably knew it wouldn't work but i
-
When I try to start iTunes, it asks me to put a disc in my CD/DVD drive. How do I make that go away?
When I try to open iTunes, I'm asked to insert a disc into my CD/DVD player. How do I make this go away?
-
Do iPads need any type of virus or malware protection?
do iPads need any type of virus or malware protection?