OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Cant SSH to remote site on alt port after 17.1.1
« previous next »
  • Print
Pages: [1]

Author Topic: Cant SSH to remote site on alt port after 17.1.1  (Read 3483 times)

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Cant SSH to remote site on alt port after 17.1.1
« on: February 14, 2017, 05:12:13 am »
After updating my 17.1 machine to 17.1.1 this afternoon, I can no longer initiate an outgoing SSH connection to a remote server that listens for SSH connections on port 922.. If I try to perform the following from a shell connected directly to the router:

 ssh remote-host.com -p 922 -l myusername

I get:
ssh: connect to host remote-host.com port 922: Operation not permitted

My LAN clients that attempt to connect to same timeout now.  I have a default outgoing LAN firewall rule that allows outgoing connections to all, and there is nothing being reported in the firewall logs that it is being blocked.

For the time being, I have changed the remote SSH server to listen on port 22, and that does work.  Likewise, if I attempt to change it to port 9222, it works. 

Did something change
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1161
  • Karma: 138
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #1 on: February 14, 2017, 12:14:25 pm »
Do you have Suricata configured?

Bart...
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #2 on: February 14, 2017, 12:19:08 pm »
No, Suricata is not configured. It's a pretty vanilla setup with a few port forwarding rules, and a default outgoing LAN rule that allows all except for external DNS.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1161
  • Karma: 138
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #3 on: February 14, 2017, 02:43:13 pm »
I've added 922 to sshd on a host here and I'm able to connect from the shell of my test OPNsense 17.1.1 VM just fine with ssh user@<host IP> -p 922

There doesn't seem to be an intrinsic problem with 17.1.1 that is causing this.

Bart...
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #4 on: February 14, 2017, 03:12:11 pm »
My thinking is that something got out of sorts during the upgrade process... Also, FWIW -- the admin SSH port on the firewall is also set to 922... I tried temporarily changing that, but 922 is still not making it out.

The one remote possibility is that Digital Ocean (my VPS provider) is blocking 922 from that specific IP address -- but I'm highly doubtful of that -- although I've opened up a ticket with them to confirm.

Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #5 on: February 14, 2017, 03:35:05 pm »
Additional information... Doing a packet capture on the WAN interface, the packets are not making it out of the WAN interface when attempting port 922.  If I change the port number to anything else, the outgoing attempt shows up in the capture.
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #6 on: February 14, 2017, 03:49:55 pm »

Hmmm... I think I found something.. My system isn't running 17.1.... When I did the update from the web interface yesterday, it apparently updated to 17.7.a_28-amd64

How did that happen?

Edit: I just ran a  opnsense-update -t opnsense  -- and that brought it back to 17.1.1... Not sure why it pulled the development version.. The SSH outgoing to port 922 is still not working.. FWIW -- attempting to SSH anywhere with port 922 is throwing the "Operation not permitted" error on the command line.
« Last Edit: February 14, 2017, 04:05:16 pm by RickNY »
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1161
  • Karma: 138
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #7 on: February 14, 2017, 04:12:56 pm »
Did you reboot after changing the SSH port back to 22?

Bart...
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #8 on: February 14, 2017, 04:23:37 pm »
Yes, its been rebooted since changing it.

Attempting to any host, with just that port -- fails:

root@firewall:~ # ssh -p 923 1.1.1.1 -vvvv
OpenSSH_7.4p1, OpenSSL 1.0.2k  26 Jan 2017
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolving "1.1.1.1" port 923
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 1.1.1.1 [1.1.1.1] port 923.
^C
root@firewall:~ # ssh -p 922 1.1.1.1 -vvvv
OpenSSH_7.4p1, OpenSSL 1.0.2k  26 Jan 2017
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolving "1.1.1.1" port 922
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 1.1.1.1 [1.1.1.1] port 922.
debug1: connect to address 1.1.1.1 port 922: Operation not permitted
ssh: connect to host 1.1.1.1 port 922: Operation not permitted

Any other port -- works.
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #9 on: February 14, 2017, 04:37:50 pm »

OK.. Found it -- but not sure why it manifested itself as an issue just now.

I have 3 floating rules set up to allow incoming SSH access to the router.. The 1st two rules are allow rules, allowing admin SSH connections from two specific IP addresses.  The 3rd rule was a block.. The direction on that was set to "any".  This had always been the case -- and it was not intefering with outgoing NAT connections to port 922 -- until I updated to 17.1.1.

SO, changing the direction of the rule to "in" resolved this...  So -- for curiosity sake -- what changed in 17.1.1 that would have suddenly caused this rule to be processed properly.  My guess is the order of NAT operations and when the filter rules get applied?

Thanks,
Rick
Logged

djGrrr

  • Full Member
  • ***
  • Posts: 112
  • Karma: 22
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #10 on: February 14, 2017, 06:37:30 pm »
17.1.1 fixed the "any" rules:

Quote from: 17.1.1 changelogs
firewall: direction "any" was not respected in floating rules
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 54
  • Karma: 8
    • View Profile
Re: Cant SSH to remote site on alt port after 17.1.1
« Reply #11 on: February 14, 2017, 06:40:40 pm »
Ah... So my broken rule hasn't been working all this time.  Glad its been fixed.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Cant SSH to remote site on alt port after 17.1.1
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2