[ previous ] [ next ] [ threads ]
 From:  "Braden McGrath" <braden at mcmail dot homeip dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] [SSH] strange problem
 Date:  Wed, 16 Feb 2005 23:14:56 -0500
> Well, I assigned a new rule at Firewall NAT to accept 
> incoming request for post SSH and redirect to 
> (the other server listening on SSH).
> I also add correspondent rule on Firewall Rules for the same.

If you just add the NAT rule, it can add the firewall rule for you (and
it will manage that one - delete it if you remove the NAT redirect).
I'd advise doing it this way unless you have reasons not to.

> Funny (probably) I found that my laptop was trying to connect 
> to port 22 from its port 1240!

This is normal.  The destination port for SSH is 22 on the server, but
the source (on the client side) will be "any random port above 1024."
How did you setup the firewall rule?  It should be from "source: any
port, any ip" and to "destination: monowall WAN IP, port 22."  Again, I
suggest that you let m0n0 add the firewall rule for you unless you know
exactly what you're doing and have reason to do it yourself.

> I re-tried for 5 times (always my dialup ISP assigned a new 
> IP) and always the laptop results in trying to connect from port 1240!
> Why ?

Well, it's somewhat surprising that it isn't using 1025 or somesuch, but
depending on the OS and what else you are doing, I can see why it'd
start with the same port every time.  (Sounds like a windows box or an
older linux machine.)  Anything modern and secure uses a random source
port - openbsd or linux with one of the security patches (and maybe
kernel 2.6 by default?)  They'll pick highly random ports for all
outgoing connections.

> I use putty since almost 4 years and when I try to ssh I 
> always use port 22 (ssh)!
again, you always connect TO port 22, but the FROM is different
depending on the machine and what is happening with it.  Make sure your
monowall is expecting this - if you've told it to only allow client:22
-> server:22, it's never going to work.