At 07:44 AM 2/14/03 -0500, John Mullan wrote:
[details deleted]Hello folks....A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting "connection refused". I can do it within the internal net no problem (again, same as mine). What should I look for? Could there be something with the possibility of identical keys having copied my installation? I'm not familiar with how that part may or may no affect the situation.
Your guess about keys seems implausible. The fact that you can connect from the LAN side indicates that sshd (or inetd) is listening on port 22. And the bare "connection refused" message almost always means a failure before ssh authentication (I say "almost" because I haven't used TT in years, and it may be different from the Linux ssh client and PuTTY in how it reports authentication failures).
How are you determining the IP address to connect to? Since this problem is taking place in a setting of dynamic addressing (PPPoE), are you certain you are connecting to the right IP address?
The Shorewall rules you list look OK to me (and more important, Tom seems to think the relevant ones are OK). But the way to be sure is to run "shorewall status" *after* a connection failure to see if the packets are arriving and what rule is blocking them. Also check the logs for any messages from sshd after a failure (might there be a reverse-lookup problem? wild guess here).
Do you and your friend use the same ISP? I've never actually heard of an ISP who blocks ssh connections, but I no longer dismiss the possibility of ANY ISP action on the grounds that it is stupid or inconvenient for customers.
A final long shot ... where are you connecting *from*? Are you connecting to both your and your friend's router from the same location? If so, could there be anything about the source end that makes the two connections look different (I ask only because you mentioned in a followup that at work you have a restrictive firewall in place)? If not, could there be some difference of consequence between the two locations you try to connect from?
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
