First of all, does 10.6.1 still use ipfw as the underlying firewall? If so, then the "ipfw list" output I will be pasting in will be of use, if not then just ignore it.
Situation: 2 laptops, one a Dell Latitude D630 running XP with Cygwin's ssh as the ssh client, the other a MacBook Pro (unibody, 2008) running 10.6.1. Everything worked properly yesterday, but this morning when I tried to setup my SSH tunnel to run synergy (http://synergykm.sourceforge.net/) through, it times out. I have changed nothing on either laptop. I upgraded to 10.6.1 days ago, so that can't be it either.
Settings for firewall/Remote Login on MBP:
In Sharing, Remote Login is the only thing checked and it is set to only allow my user
In Firewall, it is turned on
In Firewall-Advanced, Remote Login (SSH) is shown as allowed
In Firewall-Advanced, iStatLocalDaemon, sshd-keygen-wrapper, and synergys are blocked (synergys is blocked because I want it to only allow connections on localhost which would include SSH-tunneled connections)
Enable stealth mode is checked
Research done on the issue: (1) Turning off the firewall on the MBP allows the ssh client on the Dell to connect and ping. (2) Switching off/on the firewall and the Remote Login service on the MBP do not clear the issue and it is persistent through reboots.
`ipfw list` output: At normal firewall settings (see above): 33300 deny log icmp from any to me in icmptypes 8 65535 allow ip from any to any With "Enable stealth mode" unchecked: 65535 allow ip from any to any With firewall off completely: 65535 allow ip from any to any
Note that firewall off and firewall on without stealth mode are the same. If 10.6.1 still uses ipfw, my guess is something is wrong there, but if it does not still use ipfw, something is weird elsewhere.
15-inch MacBook Pro Core 2 Duo (2008 Unibody), Mac OS X (10.6.1)
Reply by Tim Haigh on Sep 24, 2009 6:52 PM
First of all, does 10.6.1 still use ipfw as the underlying firewall? If so, then the "ipfw list" output I will be pasting in will be of use, if not then just ignore it.No IPFW since snow leopard it set to allow everything to everything, except if you enable stealth mode in the application firewall.The firewall in leopard and snow leopard was superseded by an application firewall but ipfw is still there if you want to customise your IP firewall.So to turn on your firewall again. but check in your application firewall in the advanced window that you have listed in your list of allowed appssshd-keygen-wrapperinitiate and ssh connection into the mac using verbose optionsssh -vvv serverthen see if that show you some clues as to what is blocking.also on the mac open the console utility in /Applications/Utilities and browse the logappfirewall.logsee if that shows you any clues.
I'm seeing the same behavior. With the firewall turned on, I can't connect at all from other computers on my network, even though the firewall settings show that incoming connections to ssh are allowed. If I turn off the firewall, I am able to connect. I don't recall if I ever tried to ssh in when I was running 10.6.0, so I don't know if this is a new issue for 10.6.1.
What's weird is that I installed 10.6.1 on the 13th, 11 days ago, but up until this morning, SSH/firewall worked correctly. The only major change that I can find between yesterday morning and this morning is the iTunes 9.0.1 update that I installed last night, just before 8:00. The only other thing I can think of is that I updated World of Warcraft and a few addons last night, but none of those do anything with the firewall beyond the updater whining about being behind a firewall.
I've seen very good diagnostic suggestions (check logs, use -v -v -v), so the only thing I'll add is: Have you made any changes to your .bashrc, .bash_profile, .profile (or whatever shell initialization script you use)?
As Tim suggested, I allowed sshd-keygen-wrapper, it was denied when it worked before, and it still didn't work, so I removed everything, except Remote Login, and rebooted. On login it asked whether or not sshd-keygen-wrapper could have access to the network and listen for things. This time I allowed it on boot and things started working. I know, without a doubt in my being, that sshd-keygen-wrapper was set to deny before, so I don't know if allowing it or if rebooting again happened to cause it to start working. I'll keep an eye on it in the future and possibly even try changing settings to see if I can find exactly what has caused this to occur.
Message was edited by: jarrwlee - I changed the ambiguous "you" to "Tim" to clarify.