On Oct 10, 2012, at 3:30 PM, Mark Andrews <ma...@isc.org> wrote: > > In message <pine.lnx.4.61.1210100920590.26...@soloth.lewis.org>, Jon Lewis > writ > es: >> I just spent a few minutes looking into this again, and figured out the >> problem. AT&T has apparently changed the way their CGN works. I use a >> form of port knocking to restrict access to SSHd from "foreign" networks. >> It used to work fine from my phone. Now, the port knocking request from >> the phone and the ssh connection are being NAT'd to different public IPs, >> so my system is allowing ssh access to one AT&T IP, and then the ssh >> connection comes from a nearby but different IP. > > Which is a badly designed CGN. I turns singly homed clients into > multi-homed client where the client has no control over the source > address selection. At least with real multi-homed clients they have > the ability to force source addresses to match. >
AT&T probably likes it for mobile, however, because it's about the easiest way possible to prevent data services from being successfully used for VOIP. Owen >> On Wed, 10 Oct 2012, Owen DeLong wrote: >> >>> The day before I left the US, it was still working on my iPad. >>> >>> Owen >>> >>> On Oct 8, 2012, at 5:20 AM, Jon Sands <fohdee...@gmail.com> wrote: >>> >>>> On 10/7/2012 9:22 PM, Jon Lewis wrote: >>>>> has anyone else noticed AT&T mobile is blocking ssh (outgoing 22/tcp) con >> nections? >>>> >>>> Not here, have an SSH session open on my phone on port 22 as we speak. I'm >> on an android on ATT's 3G network in central indiana, if that matters. >>>> >>>> -- >>>> Jon Sands >>>> Fohdeesha Media >>>> http://fohdeesha.com/ >>>> >>> >>> >>> >> >> ---------------------------------------------------------------------- >> Jon Lewis, MCP :) | I route >> Senior Network Engineer | therefore you are >> Atlantic Net | >> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >> > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org