From owner-freebsd-stable  Mon Sep  3 16: 0:47 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172])
	by hub.freebsd.org (Postfix) with ESMTP id 234D337B42F
	for <stable@freebsd.org>; Mon,  3 Sep 2001 16:00:37 -0700 (PDT)
Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10])
	by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f83N0d914579
	for <stable@freebsd.org>; Mon, 3 Sep 2001 19:00:39 -0400 (EDT)
	(envelope-from behanna@zbzoom.net)
Date: Mon, 3 Sep 2001 19:00:34 -0400 (EDT)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: FreeBSD-Stable <stable@freebsd.org>
Subject: Re: Access disallowed through ssh
In-Reply-To: <NDBBLGPICDCECKDGFCGFGECKCKAA.cvspam@ig.com.br>
Message-ID: <20010903185529.B14526-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Mon, 3 Sep 2001, Conrado Vardanega wrote:

> I've a small network, from which I can ssh to my local server, which is
> 192.168.3.1/24.
>
> >From any other IP addresses, however, I'm having access disallowed, getting
> the following message:
>
> "Received disconnect from 200.193.xx.xx: 2: Sorry, you are not allowed to
> connect."
>
> Note: 200.193.xx.xx is the address of the router that does NAT and forwards
> its port 22/tcp to the server.
>
> This began sometime with no apparent changes to the system. The hosts.allow
> is default, which already allowed me access it in the past.

    hosts.allow recently got this line as its first rule via mergemaster:

     ALL : PARANOID : RFC931 20 : deny

    If your NAT box has forward and reverse DNS records and they don't
match, you're out of there.

    There were also some rule changes merged into /etc/rc.firewall the
last time around.

> Any hint of what could be?

    Check /var/log/messages and /var/log/security to see if you're
filtering yourself out.  Watch the server's NIC interface with tcpdump
to see if packets are actually getting forwarded to it.

    Another thought:  is this one of those cable/DSL router/firewall
thingies?  Go into its web admin interface and make sure the rules are
what you think they are.  Perhaps it got reset by a brief power
interruption or something.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message