Cant login using ssh; no password prompt
Hi! I've installed a new box with FreeBSD 6.0 (workbench) and cant login to it by means of ssh from the internal or external network. The box is installed from the release version, and worked fine using the console. I also had accessed other hosts form there using ssh. I did not patch the box in any way, is just the 6.0 release version. I can not login to that box form a local OpenBSD 3.7 box, a 5.4 box (as shown below) or using putty 0.57 from the Internet (the putty window closes after some time without asking me for a password) . Anybody have and idea of what could be happening? Thank you in advance, Mauro Form a 5.4 Box, [EMAIL PROTECTED]:~ uname -a FreeBSD Server.blstar 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #0: Sun Oct 16 04:00:03 ART 2005 mauro@:/usr/obj/usr/src/sys/GENERIC i386 I issue the following command: [EMAIL PROTECTED]:~ ssh -vvv workbench OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e-p1 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to workbench.blstar [192.168.1.34] port 22. debug1: Connection established. debug1: identity file /home/mauro/.ssh/identity type -1 debug1: identity file /home/mauro/.ssh/id_rsa type -1 debug1: identity file /home/mauro/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 FreeBSD-20050903 debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 536/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mauro/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'workbench.blstar' is known and matches the DSA host key. debug1: Found key in /home/mauro/.ssh/known_hosts:3 debug2: bits set: 497/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/mauro/.ssh/identity (0x0) debug2: key: /home/mauro/.ssh/id_rsa (0x0) debug2: key: /home/mauro/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying
Re: Cant login using ssh; no password prompt
Hi ben! Thank you for oyur answer. The resolv.conf file have this line: nameserver 192.168.1.1 At this address there is an OpenBSD 3.7 firewall which running a cache DNS from my provider. When I was using olders versions of ssh from the local network I had to wait more to the password prompt until I've configured the /etc/hosts file in the new box. Bun never happened a situation like this one. Thank you for all, Mauro On 11/18/05, Ben Pratt [EMAIL PROTECTED] wrote: I have seen this before and every time it turns out to be that DNS isn't working on the box. Please make sure that you are able to access a DNS server from the box by trying to ping google.com or something. Good luck, Ben Mauricio Brunstein wrote: Hi! I've installed a new box with FreeBSD 6.0 (workbench) and cant login to it by means of ssh from the internal or external network. The box is installed from the release version, and worked fine using the console. I also had accessed other hosts form there using ssh. I did not patch the box in any way, is just the 6.0 release version. I can not login to that box form a local OpenBSD 3.7 box, a 5.4 box (as shown below) or using putty 0.57 from the Internet (the putty window closes after some time without asking me for a password) . Anybody have and idea of what could be happening? Thank you in advance, Mauro Form a 5.4 Box, [EMAIL PROTECTED]:~ uname -a FreeBSD Server.blstar 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #0: Sun Oct 16 04:00:03 ART 2005 mauro@:/usr/obj/usr/src/sys/GENERIC i386 I issue the following command: [EMAIL PROTECTED]:~ ssh -vvv workbench OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e-p1 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to workbench.blstar [192.168.1.34] port 22. debug1: Connection established. debug1: identity file /home/mauro/.ssh/identity type -1 debug1: identity file /home/mauro/.ssh/id_rsa type -1 debug1: identity file /home/mauro/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 FreeBSD-20050903 debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 536/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mauro/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'workbench.blstar' is known and matches the DSA host key. debug1: Found key in /home/mauro/.ssh
Re: Re[6]: Can´t access a box remotely
Hexren: Ok. From the logical point of view this is true. But when I put put router_enable=NO in rc.conf, the internal LAN and the box cannot be reached anymore from the Internet. From the internal LAN I can do ssh to the box always regardless of this setting. Thanks anyway!! Your help was very useful. Sincerely, Mauricio. On Thu, 20 Jan 2005 00:48:18 +0100, Hexren [EMAIL PROTECTED] wrote: MB Hexren: MB Also I have another question: MB If you look at the handbook it states that if you use ppp, you need to MB put router_enable=NO in rc.conf, because if you enable routed, it MB can delete the routes added by ppp. The problem is that if I put MB router_enable=NO in rc.conf, i cant access my box from outside, and MB this time is not a dyndns related issue. I don´t have idea that what MB could be the cause of this situation. Does it seems familiar to you??? MB Thank you for all your help!!! MB Mauricio. - No it does not. In my experience just using 'gateway_enable=yes' is sufficient for bringing a private LAN online. Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Can´t access a box remotely
Hi to all! I can´t access to a box from the internet, using ssh. Also the box is configured as a gateway, and I can´t access the redirected ports of the computers in the internal network. Plase help! I don´t have any idea of how to resolve this problem Than you in advance, Mauricio. PD: Some additional data of interest: server:~ $ uname -a FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue Nov 23 02:13:24 ART 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICconALTQ i386 server:~ $ server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 my_isp: set device PPPoE:fxp0 # replace fxp0 with your Ethernet device set mtu 1492 set mru 1492 enable mssfixup set ctsrts off set speed sync disable acfcomp protocomp deny acfcomp set authname x set authkey yy add default HISADDR # enable lqr disable ipv6cp # set lqrperiod 5 enable dns server:~ $ server:~ $ sudo cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. hostname=server.estudio netd_enable=YES saver=dragon scrnmap=NO sshd_enable=YES sshd_flags=-4 -p 222 usbd_enable=YES network_interfaces=lo0 rl0 fxp0 tun0 ifconfig_tun0= ifconfig_rl0=inet 192.168.2.1 netmask 255.255.255.0 ifconfig_fxp0=media 10baseT/UTP up ppp_enable=YES ppp_mode=ddial ppp_nat=YES ppp_profile=my_isp router_enable=YES gateway_enable=YES # Set to YES if this host will be a gateway pf_enable=YES # Enable PF (load module if required) pf_rules=/etc/pf.conf # rules definition file for pf pf_flags=-d # additional flags for pfctl startup #pflog_enable=YES # start pflogd(8) #pflog_logfile=/var/log/pflog # where pflogd should store the logfile #pflog_flags= # additional flags for pflogd startup inetd_enable=YES # Run the network daemon dispatcher (YES/NO). inetd_program=/usr/sbin/inetd # path to inetd, if you want a different one. inetd_flags=-wW -C 60 # Optional flags to inetd #nmbd_enable=YES #smbd_enable=YES #winbindd_enable=YES # # named. It may be possible to run named in a sandbox, man security for # details. # named_enable=YES # Run named, the DNS server (or NO). named_program=/usr/sbin/named # path to named, if you want a different one. named_flags=-u bind # Flags for named named_pidfile=/var/run/named/pid # Must set this in named.conf as well named_chrootdir=/var/named# Chroot directory (or not to auto-chroot it) named_chroot_autoupdate=YES # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable=YES # Symlink the chrooted pid file server:~ $ server:~ $ netstat -an|grep LISTEN tcp4 0 0 *.8021 *.*LISTEN tcp4 0 0 *.901 *.*LISTEN tcp4 0 0 *.22 *.*LISTEN tcp4 0 0 *.21 *.*LISTEN tcp4 0 0 127.0.0.1.25 *.*LISTEN tcp4 0 0 *.222 *.*LISTEN tcp6 0 0 ::1.953*.*LISTEN tcp4 0 0 127.0.0.1.953 *.*LISTEN tcp4 0 0 127.0.0.1.53 *.*LISTEN tcp4 0 0 192.168.2.1.53 *.*LISTEN server:~ $ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Can´t access a box remotely
Hexren: Thank you for answer so quickly. I discovered that the problem is that ppp is using tun1 in place of tun0 and I am usin a dyndns deamon that is configured to update the ip address of tun0 (this is the interface that I want to use). Why ppp is using tun0??? I gess that something could be wrong in rc.conf. If I do and ssh to the ip address of tun1, I can connect normally. Here is the output of ifconfig: server:~ $ ifconfig rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::208:54ff:fe1d:8be5%rl0 prefixlen 64 scopeid 0x1 ether 00:08:54:1d:8b:e5 media: Ethernet autoselect (100baseTX full-duplex) status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::211:11ff:fe85:efa8%fxp0 prefixlen 64 scopeid 0x2 ether 00:11:11:85:ef:a8 media: Ethernet 10baseT/UTP status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 Opened by PID 212 tun1: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 inet 200.127.126.73 -- 200.32.0.42 netmask 0x Opened by PID 230 pflog0: flags=0 mtu 33208 Thank you for all!!! Mauricio On Wed, 19 Jan 2005 22:22:33 +0100, Hexren [EMAIL PROTECTED] wrote: Hi to all! I can´t access to a box from the internet, using ssh. - Please specify your problem. Do you have IP connectivity ? (Do a ping 216.136.204.117 from the machine of which you are showing logs here) Do you have DNS (Do a ping www.freebsd.org ) Which error is given out when you try to ssh in from the internet. (try ssh -v or ssh -vv) Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re[2]: Can´t access a box remotely
Hexren: The pocess of PID 212 is ppp: server:~ $ ps auxw|grep 212 root212 0.0 0.8 3240 2112 ?? Ss5:53PM 0:00.43 ppp -ddial default mauro 687 0.0 0.4 1472 892 p0 S+6:48PM 0:00.00 grep 212 server:~ $ My rc.conf has references to tun0: server:~ $ sudo cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. # ## hostname=server.estudio netd_enable=YES saver=dragon scrnmap=NO sshd_enable=YES sshd_flags=-4 -p 222 usbd_enable=YES network_interfaces=lo0 rl0 fxp0 tun0 #network_interfaces=lo0 rl0 fxp0 ifconfig_tun0= ifconfig_rl0=inet 192.168.2.1 netmask 255.255.255.0 ifconfig_fxp0=media 10baseT/UTP up ppp_enable=YES ppp_mode=ddial ppp_nat=YES ppp_profile=my_isp router_enable=YES gateway_enable=YES # Set to YES if this host will be a gateway pf_enable=YES # Enable PF (load module if required) pf_rules=/etc/pf.conf # rules definition file for pf pf_flags=-d # additional flags for pfctl startup #pflog_enable=YES # start pflogd(8) #pflog_logfile=/var/log/pflog # where pflogd should store the logfile #pflog_flags= # additional flags for pflogd startup inetd_enable=YES # Run the network daemon dispatcher (YES/NO). inetd_program=/usr/sbin/inetd # path to inetd, if you want a different one. inetd_flags=-wW -C 60 # Optional flags to inetd #nmbd_enable=YES #smbd_enable=YES #winbindd_enable=YES named_enable=YES # Run named, the DNS server (or NO). named_program=/usr/sbin/named # path to named, if you want a different one. named_flags=-u bind # Flags for named named_pidfile=/var/run/named/pid # Must set this in named.conf as well named_chrootdir=/var/named# Chroot directory (or not to auto-chroot it) named_chroot_autoupdate=YES # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable=YES # Symlink the chrooted pid file server:~ $ Thank you again, Mauricio. On Wed, 19 Jan 2005 22:44:04 +0100, Hexren [EMAIL PROTECTED] wrote: MB Hexren: MB Thank you for answer so quickly. I discovered that the problem is that MB ppp is using tun1 in place of tun0 and I am usin a dyndns deamon that MB is configured to update the ip address of tun0 (this is the interface MB that I want to use). Why ppp is using tun0??? I gess that something MB could be wrong in rc.conf. If I do and ssh to the ip address of tun1, MB I can connect normally. MB Here is the output of ifconfig: MB server:~ $ ifconfig MB rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 MB options=8VLAN_MTU MB inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 MB inet6 fe80::208:54ff:fe1d:8be5%rl0 prefixlen 64 scopeid 0x1 MB ether 00:08:54:1d:8b:e5 MB media: Ethernet autoselect (100baseTX full-duplex) MB status: active MB fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 MB options=8VLAN_MTU MB inet6 fe80::211:11ff:fe85:efa8%fxp0 prefixlen 64 scopeid 0x2 MB ether 00:11:11:85:ef:a8 MB media: Ethernet 10baseT/UTP MB status: active MB plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 MB lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 MB inet 127.0.0.1 netmask 0xff00 MB inet6 ::1 prefixlen 128 MB inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 MB tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 MB Opened by PID 212 MB tun1: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 MB inet 200.127.126.73 -- 200.32.0.42 netmask 0x MB Opened by PID 230 MB pflog0: flags=0 mtu 33208 MB Thank you for all!!! MB Mauricio MB On Wed, 19 Jan 2005 22:22:33 +0100, Hexren [EMAIL PROTECTED] wrote: Hi to all! I can´t access to a box from the internet, using ssh. - Please specify your problem. Do you have IP connectivity ? (Do a ping 216.136.204.117 from the machine of which you are showing logs here) Do you have DNS (Do a ping www.freebsd.org ) Which error is given out when you try to ssh in from the internet. (try ssh -v or ssh -vv) Hexren - Wild guessing here: Maybe the interface tun0 gets created when it is first called by something refering to rc.conf. (It is in there isn't it ?). When ppp the fires up it creates its own tun device, taking the next free name which is tun1 as tun0 already exists and ppp can't know if it is used
Re: Re[4]: Can´t access a box remotely
Hexren: Why do you say: As a quick workaround: In your ppp.conf delete the default profile and rename your profile default. The remove the 'ppp_profile=my_isp' line from your rc.conf. I actually want to dial to my_isp from rc.conf. If I delete the default profile, then I need to copy those 2 lines in that profile to the my_isp profile? Than you again, Mauricio PD: This is my ppp.conf: server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 my_isp: set device PPPoE:fxp0 # replace fxp0 with your Ethernet device set mtu 1492 set mru 1492 enable mssfixup set ctsrts off set speed sync disable acfcomp protocomp deny acfcomp set authname set authkey y add default HISADDR # enable lqr disable ipv6cp # set lqrperiod 5 enable dns server:~ $ On Wed, 19 Jan 2005 23:02:26 +0100, Hexren [EMAIL PROTECTED] wrote: MB Hexren: MB The pocess of PID 212 is ppp: MB server:~ $ ps auxw|grep 212 MB root212 0.0 0.8 3240 2112 ?? Ss5:53PM 0:00.43 ppp MB -ddial default MB mauro 687 0.0 0.4 1472 892 p0 S+6:48PM 0:00.00 grep 212 MB server:~ $ - Wild guessing here: Maybe the interface tun0 gets created when it is first called by something refering to rc.conf. (It is in there isn't it ?). When ppp the fires up it creates its own tun device, taking the next free name which is tun1 as tun0 already exists and ppp can't know if it is used by something else. Try removing all references to tun0 from /etc/rc.conf Keep in mind that this is only a guess. Also look at what hides behind PID 212. You can see in th output you provided that tun0 was created by that PID. Hexren - It is not the reference. When ppp is started it first tries to dial in using the profile named default. root212 sniped ppp -ddial look heredefaultlook here As a quick workaround: In your ppp.conf delete the default profile and rename your profile default. The remove the 'ppp_profile=my_isp' line from your rc.conf. I am pretty shure there is a cleaner way to do this. But unfortunatly I am unaware of it. Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re[4]: Can´t access a box remotely
Hexren: Also I have another question: If you look at the handbook it states that if you use ppp, you need to put router_enable=NO in rc.conf, because if you enable routed, it can delete the routes added by ppp. The problem is that if I put router_enable=NO in rc.conf, i cant access my box from outside, and this time is not a dyndns related issue. I don´t have idea that what could be the cause of this situation. Does it seems familiar to you??? Thank you for all your help!!! Mauricio. On Wed, 19 Jan 2005 19:29:48 -0300, Mauricio Brunstein [EMAIL PROTECTED] wrote: Hexren: Why do you say: As a quick workaround: In your ppp.conf delete the default profile and rename your profile default. The remove the 'ppp_profile=my_isp' line from your rc.conf. I actually want to dial to my_isp from rc.conf. If I delete the default profile, then I need to copy those 2 lines in that profile to the my_isp profile? Than you again, Mauricio PD: This is my ppp.conf: server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 my_isp: set device PPPoE:fxp0 # replace fxp0 with your Ethernet device set mtu 1492 set mru 1492 enable mssfixup set ctsrts off set speed sync disable acfcomp protocomp deny acfcomp set authname set authkey y add default HISADDR # enable lqr disable ipv6cp # set lqrperiod 5 enable dns server:~ $ On Wed, 19 Jan 2005 23:02:26 +0100, Hexren [EMAIL PROTECTED] wrote: MB Hexren: MB The pocess of PID 212 is ppp: MB server:~ $ ps auxw|grep 212 MB root212 0.0 0.8 3240 2112 ?? Ss5:53PM 0:00.43 ppp MB -ddial default MB mauro 687 0.0 0.4 1472 892 p0 S+6:48PM 0:00.00 grep 212 MB server:~ $ - Wild guessing here: Maybe the interface tun0 gets created when it is first called by something refering to rc.conf. (It is in there isn't it ?). When ppp the fires up it creates its own tun device, taking the next free name which is tun1 as tun0 already exists and ppp can't know if it is used by something else. Try removing all references to tun0 from /etc/rc.conf Keep in mind that this is only a guess. Also look at what hides behind PID 212. You can see in th output you provided that tun0 was created by that PID. Hexren - It is not the reference. When ppp is started it first tries to dial in using the profile named default. root212 sniped ppp -ddial look heredefaultlook here As a quick workaround: In your ppp.conf delete the default profile and rename your profile default. The remove the 'ppp_profile=my_isp' line from your rc.conf. I am pretty shure there is a cleaner way to do this. But unfortunatly I am unaware of it. Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange behavior of ppp, pf and altq on FreeBSD 5.3
Hi!
It's me again, the workaround for the first problem does not work
always, only sometimes.
I hope that somebody could help!
Regards,
Mauricio.
On Mon, 13 Dec 2004 21:30:49 -0300, Mauricio Brunstein
[EMAIL PROTECTED] wrote:
Please help!
I am new to FreeBSD, and UNIX in general but form the beginning I'm
fascinated. I had configured a FreeBSD 5.3 machine to be the
Firewall/gateway of 8 windows PC's. The machine has 2 interfaces one
(fxp0) is connected to the ADSL modem and the another (rl0) is
connected to a switch where the windows boxes are connected too. The
first problem is that sometimes, when ppp redial to the pppoe Internet
provider, I can use Internet from the FreeBSD machine, but not from
the internal network. I had found a workaround to this problem:
server:~ $ cat /etc/ppp/ppp.linkup
default:
! pfctl -F all -f /etc/pf.conf /usr/local/etc/ez-ipupdate.conf
-
Refreshing the pf rules, the nat appears to work again, after a connection
drop.
The problem that I can't solve is the following:
In the FreeBSD manual states that one must use router_enable=NO in
rc.conf, to avoid routed to delete the routes added by ppp. If I do
this, I can't have access to the box from outside using ssh.
For reference I added the content of the floowing files:
/etc/rc.conf
/etc/start_if.tun0
/etc/ppp/ppp.conf
/etc/pf.conf
/root/kernels/GENERICconALTQ # the kernel config file
demesg
Thank you very much!!!
-
server:~ $ cat /etc/rc.conf
# -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004
# Created: Sun Nov 21 13:07:41 2004
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname=server.estudio
ifconfig_rl0=inet 192.168.2.1 netmask 255.255.255.0
netd_enable=YES
saver=dragon
scrnmap=NO
sshd_enable=YES
sshd_flags=-4 -p 222
usbd_enable=YES
network_interfaces=lo0 tun0 rl0
ifconfig_tun0=
#router_enable=NO
router_enable=YES
gateway_enable=YES # Set to YES if this host will be a gateway
pf_enable=YES # Enable PF (load module if required)
pf_rules=/etc/pf.conf # rules definition file for pf
pf_flags= # additional flags for pfctl startup
#pflog_enable=YES # start pflogd(8)
#pflog_logfile=/var/log/pflog # where pflogd should store the logfile
#pflog_flags= # additional flags for pflogd startup
inetd_enable=YES # Run the network daemon dispatcher (YES/NO).
inetd_program=/usr/sbin/inetd # path to inetd, if you want a different one.
inetd_flags=-wW -C 60 # Optional flags to inetd
#nmbd_enable=YES
#smbd_enable=YES
#winbindd_enable=YES
named_enable=YES # Run named, the DNS server (or NO).
named_program=/usr/sbin/named # path to named, if you want a different one.
named_flags=-u bind # Flags for named
named_pidfile=/var/run/named/pid # Must set this in named.conf as well
named_chrootdir=/var/named# Chroot directory (or not to auto-chroot
it)
named_chroot_autoupdate=YES # Automatically install/update chrooted
# components of named. See /etc/rc.d/named.
named_symlink_enable=YES # Symlink the chrooted pid file
---
server:~ $ uname -a
FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue
Nov 23 02:13:24 ART 2004
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICconALTQ i386
server:~ $ cat /etc/start_if.tun0
ppp -ddial default /usr/local/etc/ez-ipupdate.conf
---
server:~ $ sudo cat /etc/ppp/ppp.conf
default:
set log Phase Chat IPCP CCP tun command
# set log Phase Chat LCP IPCP CCP tun command
# nat enable yes
# nat same_ports yes
# nat use_sockets yes
set device PPPoE:fxp0 # replace fxp0 with your Ethernet device
set mtu 1492
set mru 1492
enable mssfixup
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname xx
set authkey yy
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255
add default HISADDR
# enable lqr
disable ipv6cp
# set lqrperiod 25
enable dns
server:~ $ cat /etc/pf.conf
## Macros
NoRoute = { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }
## Tables
# Options
#set optimization aggressive
set debug loud
# Normalization
#scrub in on tun0 all random-id no-df
scrub in on tun0 all
# Queueing
altq on tun0 priq bandwidth 100Kb queue { q_pri, q_def, q_med }
queue q_pri priority 7
queue q_med priority 3
queue q_def
Extrange behavior using ppp, pf and altq on FreeBSD 5.3
Please help!
I am new to FreeBSD, and UNIX in general but form the beginning I'm
fascinated. I had configured a FreeBSD 5.3 machine to be the
Firewall/gateway of 8 windows PC's. The machine has 2 interfaces one
(fxp0) is connected to the ADSL modem and the another (rl0) is
connected to a switch where the windows boxes are connected too. The
first problem is that sometimes, when ppp redial to the pppoe Internet
provider, I can use Internet from the FreeBSD machine, but not from
the internal network. I had found a workaround to this problem:
server:~ $ cat /etc/ppp/ppp.linkup
default:
! pfctl -F all -f /etc/pf.conf /usr/local/etc/ez-ipupdate.conf
-
Refreshing the pf rules, the nat appears to work again, after a connection drop.
The problem that I can't solve is the following:
In the FreeBSD manual states that one must use router_enable=NO in
rc.conf, to avoid routed to delete the routes added by ppp. If I do
this, I can't have access to the box from outside using ssh.
For reference I added the content of the floowing files:
/etc/rc.conf
/etc/start_if.tun0
/etc/ppp/ppp.conf
/etc/pf.conf
/root/kernels/GENERICconALTQ # the kernel config file
demesg
Thank you very much!!!
-
server:~ $ cat /etc/rc.conf
# -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004
# Created: Sun Nov 21 13:07:41 2004
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname=server.estudio
ifconfig_rl0=inet 192.168.2.1 netmask 255.255.255.0
netd_enable=YES
saver=dragon
scrnmap=NO
sshd_enable=YES
sshd_flags=-4 -p 222
usbd_enable=YES
network_interfaces=lo0 tun0 rl0
ifconfig_tun0=
#router_enable=NO
router_enable=YES
gateway_enable=YES # Set to YES if this host will be a gateway
pf_enable=YES # Enable PF (load module if required)
pf_rules=/etc/pf.conf # rules definition file for pf
pf_flags= # additional flags for pfctl startup
#pflog_enable=YES # start pflogd(8)
#pflog_logfile=/var/log/pflog # where pflogd should store the logfile
#pflog_flags= # additional flags for pflogd startup
inetd_enable=YES # Run the network daemon dispatcher (YES/NO).
inetd_program=/usr/sbin/inetd # path to inetd, if you want a different one.
inetd_flags=-wW -C 60 # Optional flags to inetd
#nmbd_enable=YES
#smbd_enable=YES
#winbindd_enable=YES
named_enable=YES # Run named, the DNS server (or NO).
named_program=/usr/sbin/named # path to named, if you want a different one.
named_flags=-u bind # Flags for named
named_pidfile=/var/run/named/pid # Must set this in named.conf as well
named_chrootdir=/var/named# Chroot directory (or not to auto-chroot it)
named_chroot_autoupdate=YES # Automatically install/update chrooted
# components of named. See /etc/rc.d/named.
named_symlink_enable=YES # Symlink the chrooted pid file
---
server:~ $ uname -a
FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue
Nov 23 02:13:24 ART 2004
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICconALTQ i386
server:~ $ cat /etc/start_if.tun0
ppp -ddial default /usr/local/etc/ez-ipupdate.conf
---
server:~ $ sudo cat /etc/ppp/ppp.conf
default:
set log Phase Chat IPCP CCP tun command
# set log Phase Chat LCP IPCP CCP tun command
# nat enable yes
# nat same_ports yes
# nat use_sockets yes
set device PPPoE:fxp0 # replace fxp0 with your Ethernet device
set mtu 1492
set mru 1492
enable mssfixup
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname xx
set authkey yy
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255
add default HISADDR
# enable lqr
disable ipv6cp
# set lqrperiod 25
enable dns
server:~ $ cat /etc/pf.conf
## Macros
NoRoute = { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }
## Tables
# Options
#set optimization aggressive
set debug loud
# Normalization
#scrub in on tun0 all random-id no-df
scrub in on tun0 all
# Queueing
altq on tun0 priq bandwidth 100Kb queue { q_pri, q_def, q_med }
queue q_pri priority 7
queue q_med priority 3
queue q_def priority 1 priq(default)
## nat
# General:
nat on tun0 from 192.168.2.0/24 to any - (tun0)
rdr on rl0 proto udp from any to 192.168.2.1/32 port 53 - 200.42.0.109 port 53
# FTP y HTTP Server on the internal network:
#rdr on tun0 proto tcp from any to (tun0)/32 port 21 - 192.168.2.33 port 21
#rdr on tun0 proto tcp from any to (tun0)/32 port 80 - 192.168.2.33
Re: just a couple quick pf/nat questions
And are there any pf config generation pages out there yet? Look at this: http://www.onlamp.com/pub/a/bsd/2003/06/26/ssn_openbsd.html?page=1 Regards, Mauricio ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Can't reach to a FreeBSD 5.3 machine trough a ppp connection
Hi! I'm installing a machine that will be a firewall and a samba server for a 4 people office. The machine has 2 NICs and is connecting to the Internet using PPPoE. It is using pf and ALTQ. Initially there was problems to establish the PPPoE connection in the office, using the same ppp.conf that previously worked in my lab (only changing the username/passwd). Here is my ppp.conf file: server:~ $ sudo cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command set device PPPoE:fxp0 set mtu 1492 set mru 1492 enable mssfixup set speed sync disable acfcomp protocomp deny acfcomp set authname x set authkeyx add default HISADDR enable lqr set lqrperiod 25 enable dns I got some messages in ppp.log like this one, Nov 23 15:00:35 server ppp[533]: tun0: LCP: deflink: -- Protocol 0x8057 (Internet Protocol V6 Control Pro tocol) was rejected! Nov 23 15:00:41 server ppp[533]: tun0: Phase: deflink: IPV6CP protocol reject closes IPV6CP ! After that added disable ipv6cp, and commented out enable lqr and set lqrperiod 25 and the connection didn't drop anymore. It seems that this provider doesn't support lqr. It appeared that everything was working fine, but when I tried to use ssh to login to this box from outside was not possible. After some time of issuing the ssh command, get the following error: ssh: connect to host dsuaya.ath.cx port 22: Operation timed out. After some tests, I discovered that changing router_enable to YES in the /etc/rc.conf solved the problem. But in the section 21.2.1.5 Final System Configuration of the FreeBSD handbook states: Make sure the router program set to NO with following line in your /etc/rc.conf: router_enable=NO It is important that the routed daemon is not started (it is by default), as routed tends to delete the default routing table entries created by ppp. So, is there another manner to resolve this? Note that I'm always able to establish connections from this box to a host in the Internet but I can't establish a connection from that hosts to this one if router_enable=NO. Thanks in advance, Mauricio. Some data of interest: server:~ $ uname -a FreeBSD server.estudio 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Tue Nov 23 02:13:24 ART 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERICWALTQ i386 server:~ $ server:~ $ cat /etc/rc.conf # -- sysinstall generated deltas -- # Sun Nov 21 13:07:41 2004 # Created: Sun Nov 21 13:07:41 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. # hostname=server.estudio ifconfig_rl0=inet 192.168.2.1 netmask 255.255.255.0 netd_enable=YES saver=dragon scrnmap=NO sshd_enable=YES sshd_flags=-4 -p 22 usbd_enable=YES network_interfaces=lo0 tun0 rl0 fconfig_tun0= router_enable=YES# remember to disable this! #router_enable=NO # Set to YES to enable a routing daemon. router=/sbin/routed # Name of routing daemon to use if enabled. router_flags=-q # Flags for routing daemon. gateway_enable=YES # Set to YES if this host will be a gateway pf_enable=YES # Enable PF (load module if required) pf_rules=/etc/pf.conf # rules definition file for pf pf_flags= # additional flags for pfctl startup #pflog_enable=YES # start pflogd(8) #pflog_logfile=/var/log/pflog # where pflogd should store the logfile #pflog_flags= # additional flags for pflogd startup inetd_enable=YES # Run the network daemon dispatcher (YES/NO). inetd_program=/usr/sbin/inetd # path to inetd, if you want a different one. inetd_flags=-wW -C 60 # Optional flags to inetd server:~ $ server:~ $ cat /etc/start_if.tun0 ppp -ddial default; /usr/local/etc/ez-ipupdate.conf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
