6 Replies Latest reply: Sep 25, 2009 5:50 AM by jarrwlee
jarrwlee Level 1 Level 1 (0 points)
First of all, does 10.6.1 still use ipfw as the underlying firewall? If so, then the "ipfw list" output I will be pasting in will be of use, if not then just ignore it.

Situation:
2 laptops, one a Dell Latitude D630 running XP with Cygwin's ssh as the ssh client, the other a MacBook Pro (unibody, 2008) running 10.6.1. Everything worked properly yesterday, but this morning when I tried to setup my SSH tunnel to run synergy (http://synergykm.sourceforge.net/) through, it times out. I have changed nothing on either laptop. I upgraded to 10.6.1 days ago, so that can't be it either.

Settings for firewall/Remote Login on MBP:
  • In Sharing, Remote Login is the only thing checked and it is set to only allow my user
  • In Firewall, it is turned on
  • In Firewall-Advanced, Remote Login (SSH) is shown as allowed
  • In Firewall-Advanced, iStatLocalDaemon, sshd-keygen-wrapper, and synergys are blocked (synergys is blocked because I want it to only allow connections on localhost which would include SSH-tunneled connections)
  • Enable stealth mode is checked

    Research done on the issue:
    (1) Turning off the firewall on the MBP allows the ssh client on the Dell to connect and ping.
    (2) Switching off/on the firewall and the Remote Login service on the MBP do not clear the issue and it is persistent through reboots.

    `ipfw list` output:
    At normal firewall settings (see above):
         33300 deny log icmp from any to me in icmptypes 8
         65535 allow ip from any to any
    With "Enable stealth mode" unchecked:
         65535 allow ip from any to any
    With firewall off completely:
         65535 allow ip from any to any

    Note that firewall off and firewall on without stealth mode are the same. If 10.6.1 still uses ipfw, my guess is something is wrong there, but if it does not still use ipfw, something is weird elsewhere.

    Any ideas?

15-inch MacBook Pro Core 2 Duo (2008 Unibody), Mac OS X (10.6.1)
  • jarrwlee Level 1 Level 1 (0 points)
    The work-around:
    • Turn off the firewall
    • Start the SSH tunnel by running the following command in Cygwin on the Dell:
      <pre>ssh -f -N -L localhost:24800:(MBP IP):24800 (username on MBP)@(MBP IP)</pre>
    • Turn on the firewall

      Message was edited by: jarrwlee

      Message was edited by: jarrwlee (cleaned up the ssh command and corrected the Model/OS)
  • Courtney Bane Level 1 Level 1 (0 points)
    I'm seeing the same behavior. With the firewall turned on, I can't connect at all from other computers on my network, even though the firewall settings show that incoming connections to ssh are allowed. If I turn off the firewall, I am able to connect. I don't recall if I ever tried to ssh in when I was running 10.6.0, so I don't know if this is a new issue for 10.6.1.
  • jarrwlee Level 1 Level 1 (0 points)
    What's weird is that I installed 10.6.1 on the 13th, 11 days ago, but up until this morning, SSH/firewall worked correctly. The only major change that I can find between yesterday morning and this morning is the iTunes 9.0.1 update that I installed last night, just before 8:00. The only other thing I can think of is that I updated World of Warcraft and a few addons last night, but none of those do anything with the firewall beyond the updater whining about being behind a firewall.
  • Tim Haigh Level 7 Level 7 (24,190 points)
    First of all, does 10.6.1 still use ipfw as the underlying firewall? If so, then the "ipfw list" output I will be pasting in will be of use, if not then just ignore it.


    No IPFW since snow leopard it set to allow everything to everything, except if you enable stealth mode in the application firewall.

    The firewall in leopard and snow leopard was superseded by an application firewall but ipfw is still there if you want to customise your IP firewall.

    So to turn on your firewall again. but check in your application firewall in the advanced window that you have listed in your list of allowed apps

    sshd-keygen-wrapper



    initiate and ssh connection into the mac using verbose options

    ssh -vvv server

    then see if that show you some clues as to what is blocking.

    also on the mac open the console utility in /Applications/Utilities and browse the log

    appfirewall.log

    see if that shows you any clues.
  • BobHarris Level 6 Level 6 (14,720 points)
    I've seen very good diagnostic suggestions (check logs, use -v -v -v), so the only thing I'll add is: Have you made any changes to your .bashrc, .bash_profile, .profile (or whatever shell initialization script you use)?
  • jarrwlee Level 1 Level 1 (0 points)
    As Tim suggested, I allowed sshd-keygen-wrapper, it was denied when it worked before, and it still didn't work, so I removed everything, except Remote Login, and rebooted. On login it asked whether or not sshd-keygen-wrapper could have access to the network and listen for things. This time I allowed it on boot and things started working. I know, without a doubt in my being, that sshd-keygen-wrapper was set to deny before, so I don't know if allowing it or if rebooting again happened to cause it to start working. I'll keep an eye on it in the future and possibly even try changing settings to see if I can find exactly what has caused this to occur.

    Message was edited by: jarrwlee - I changed the ambiguous "you" to "Tim" to clarify.