Shorewall users - Aug 2012 - ssh_exchange_identification: read: Connection reset by peer

I have a debian server with shorewall 4.5.5.3, my rules file has:

SSH(ACCEPT)    all    all

but when I try to connect from src IP 201.87.100.36 to FW via NET 
interface (IP 177.32.35.176) I receive "ssh_exchange_identification: 
read: Connection reset by peer" message

from LOC interface works

Best Regards

Jose D Grieco



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 08/28/2012 08:18 AM, "José D. Grieco"
wrote:
> I have a debian server with shorewall 4.5.5.3, my rules file has:
>
> SSH(ACCEPT)    all    all
>
> but when I try to connect from src IP 201.87.100.36 to FW via NET
> interface (IP 177.32.35.176) I receive "ssh_exchange_identification:
> read: Connection reset by peer" message
>
> from LOC interface works
>
And if you ''shorewall clear'' then this work perfectly? (be
sure to
''shorewall start'' after testing).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Tue, 28 Aug 2012 08:27:31 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
> > I have a debian server with shorewall 4.5.5.3, my rules file has:
> >
> > SSH(ACCEPT)    all    all
> >
> > but when I try to connect from src IP 201.87.100.36 to FW via NET
> > interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
> > read: Connection reset by peer" message
> >
> > from LOC interface works
> >
> 
> And if you 'shorewall clear' then this work perfectly? (be sure to 
> 'shorewall start' after testing).
> 
> -Tom
The message received reminds me of an entry in /etc/hosts.deny. I don't
think it has anything to do with Shorewall tbh.

-- 
Stay in touch,
Mark van Dijk.                  ,------------------------------------
-------------------------------'            Tue Aug 28 17:57 UTC 2012
Today is Setting Orange, the 21st day of Bureaucracy in the YOLD 3178

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

From: Mark van Dijk [mailto:lists+shorewall@internecto.net] 
Sent: 28. august 2012 20:18

On Tue, 28 Aug 2012 08:27:31 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
> > I have a debian server with shorewall 4.5.5.3, my rules file has:
> >
> > SSH(ACCEPT)    all    all
> >
> > but when I try to connect from src IP 201.87.100.36 to FW via NET 
> > interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
> > read: Connection reset by peer" message
> >
> > from LOC interface works
> >
> 
> And if you 'shorewall clear' then this work perfectly? (be sure to 
> 'shorewall start' after testing).
> 
> -Tom
> The message received reminds me of an entry in /etc/hosts.deny. I don't
think it has anything to do with Shorewall tbh.
Me neither.

I'm running shorewall 4.5.5.3 on Debian myself.

I don't have the exact same rule but I DNAT to a server behind the firewall
like this:

SSH(DNAT)   net   loc:192.168.1.2

Works fine but I had a similar problem once.

I could login via ssh just fine but if I left the ssh session idle for too long
I would receive connection reset by peer.
My session were dead and I had to log back in.
I only had this problem from one specific location.

After some investigation I found out that the reason for my session to drop out
were the firewall at this location.
The firewall dropped all outbound ssh sessions that were inactive.

I verified this by logging on to my server from that network and at the same
time from a different network and left the sessions idle for a while.

The connection were dropped but the other ssh session were still alive.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Tom, thanks for a quick reply.

Em 28-08-2012 12:27, Tom Eastep escreveu:
> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
>> I have a debian server with shorewall 4.5.5.3, my rules file has:
>>
>> SSH(ACCEPT)    all    all
>>
>> but when I try to connect from src IP 201.87.100.36 to FW via NET
>> interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
>> read: Connection reset by peer" message
>>
>> from LOC interface works
>>
> And if you ''shorewall clear'' then this work perfectly?
(be sure to
> ''shorewall start'' after testing).
It''s a production server, I''ll try after office''s
work hours.
>
> -Tom


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Em 28-08-2012 15:17, Mark van Dijk escreveu:
> On Tue, 28 Aug 2012 08:27:31 -0700
> Tom Eastep <teastep@shorewall.net> wrote:
>
>> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
>>> I have a debian server with shorewall 4.5.5.3, my rules file has:
>>>
>>> SSH(ACCEPT)    all    all
>>>
>>> but when I try to connect from src IP 201.87.100.36 to FW via NET
>>> interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
>>> read: Connection reset by peer" message
>>>
>>> from LOC interface works
>>>
>> And if you 'shorewall clear' then this work perfectly? (be sure
to
>> 'shorewall start' after testing).
>>
>> -Tom
> The message received reminds me of an entry in /etc/hosts.deny. I don't
> think it has anything to do with Shorewall tbh.
>
There is no entry in hosts.deny.

But thanks for your reply


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Em 28-08-2012 15:40, Øyvind Lode - Forums escreveu:
> From: Mark van Dijk [mailto:lists+shorewall@internecto.net]
> Sent: 28. august 2012 20:18
>
> On Tue, 28 Aug 2012 08:27:31 -0700
> Tom Eastep <teastep@shorewall.net> wrote:
>
>> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
>>> I have a debian server with shorewall 4.5.5.3, my rules file has:
>>>
>>> SSH(ACCEPT)    all    all
>>>
>>> but when I try to connect from src IP 201.87.100.36 to FW via NET
>>> interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
>>> read: Connection reset by peer" message
>>>
>>> from LOC interface works
>>>
>> And if you 'shorewall clear' then this work perfectly? (be sure
to
>> 'shorewall start' after testing).
>>
>> -Tom
>> The message received reminds me of an entry in /etc/hosts.deny. I
don't think it has anything to do with Shorewall tbh.
> Me neither.
>
> I'm running shorewall 4.5.5.3 on Debian myself.
>
> I don't have the exact same rule but I DNAT to a server behind the
firewall like this:
>
> SSH(DNAT)   net   loc:192.168.1.2
>
> Works fine but I had a similar problem once.
BTW, I have others debian server with shorewall and I don't have that 
issue either.
>
> I could login via ssh just fine but if I left the ssh session idle for too
long I would receive connection reset by peer.
> My session were dead and I had to log back in.
> I only had this problem from one specific location.
>
> After some investigation I found out that the reason for my session to drop
out were the firewall at this location.
> The firewall dropped all outbound ssh sessions that were inactive.
>
> I verified this by logging on to my server from that network and at the
same time from a different network and left the sessions idle for a while.
>
> The connection were dropped but the other ssh session were still alive.
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

this is often at odds of blacklisting problems at sshd ... already 
seen: I waited for it to pass

Le 2012-08-29 15:29, José D. Grieco a écrit :
> Em 28-08-2012 15:40, Øyvind Lode - Forums escreveu:
>> From: Mark van Dijk [mailto:lists+shorewall@internecto.net]
>> Sent: 28. august 2012 20:18
>>
>> On Tue, 28 Aug 2012 08:27:31 -0700
>> Tom Eastep <teastep@shorewall.net> wrote:
>>
>>> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
>>>> I have a debian server with shorewall 4.5.5.3, my rules file
has:
>>>>
>>>> SSH(ACCEPT)    all    all
>>>>
>>>> but when I try to connect from src IP 201.87.100.36 to FW via
NET
>>>> interface (IP 177.32.35.176) I receive 
>>>> "ssh_exchange_identification:
>>>> read: Connection reset by peer" message
>>>>
>>>> from LOC interface works
>>>>
>>> And if you 'shorewall clear' then this work perfectly? (be
sure to
>>> 'shorewall start' after testing).
>>>
>>> -Tom
>>> The message received reminds me of an entry in /etc/hosts.deny. I 
>>> don't think it has anything to do with Shorewall tbh.
>> Me neither.
>>
>> I'm running shorewall 4.5.5.3 on Debian myself.
>>
>> I don't have the exact same rule but I DNAT to a server behind the 
>> firewall like this:
>>
>> SSH(DNAT)   net   loc:192.168.1.2
>>
>> Works fine but I had a similar problem once.
> BTW, I have others debian server with shorewall and I don't have that
> issue either.
>>
>> I could login via ssh just fine but if I left the ssh session idle 
>> for too long I would receive connection reset by peer.
>> My session were dead and I had to log back in.
>> I only had this problem from one specific location.
>>
>> After some investigation I found out that the reason for my session 
>> to drop out were the firewall at this location.
>> The firewall dropped all outbound ssh sessions that were inactive.
>>
>> I verified this by logging on to my server from that network and at 
>> the same time from a different network and left the sessions idle for 
>> a while.
>>
>> The connection were dropped but the other ssh session were still 
>> alive.
>>
>> 
>>
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. 
>> Discussions
>> will include endpoint security, mobile security and the latest in 
>> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
> 
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. 
> Discussions
> will include endpoint security, mobile security and the latest in 
> malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- 
   http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
   gpg --keyserver pgp.mit.edu --recv-key C2626742

   http://about.me/fakessh
   http://urlshort.eu fakessh @
   http://gplus.to/sshfake
   http://gplus.to/sshswilting
   http://gplus.to/john.swilting
   https://lists.fakessh.eu/mailman/
   This list is moderated by me, but all applications will be accepted
   provided they receive a note of presentation

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Em 28-08-2012 12:27, Tom Eastep escreveu:
> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
>> I have a debian server with shorewall 4.5.5.3, my rules file has:
>>
>> SSH(ACCEPT)    all    all
>>
>> but when I try to connect from src IP 201.87.100.36 to FW via NET
>> interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
>> read: Connection reset by peer" message
>>
>> from LOC interface works
>>
> And if you ''shorewall clear'' then this work perfectly?
(be sure to
> ''shorewall start'' after testing).
Yes, it does !!
>
> -Tom


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 08/30/2012 04:26 AM, "José D. Grieco"
wrote:
>
> Em 28-08-2012 12:27, Tom Eastep escreveu:
>> On 08/28/2012 08:18 AM, "José D. Grieco" wrote:
>>> I have a debian server with shorewall 4.5.5.3, my rules file has:
>>>
>>> SSH(ACCEPT)    all    all
>>>
>>> but when I try to connect from src IP 201.87.100.36 to FW via NET
>>> interface (IP 177.32.35.176) I receive
"ssh_exchange_identification:
>>> read: Connection reset by peer" message
>>>
>>> from LOC interface works
>>>
>> And if you ''shorewall clear'' then this work
perfectly? (be sure to
>> ''shorewall start'' after testing).
> Yes, it does !!
Then the Shorewall-generated ruleset should be logging something when 
the problem occurs.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/