You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jarrwlee
jarrwlee Author
User level: Level 1
8 points

Remote Login (SSH) blocked at firewall regardless of settings

First of all, does 10.6.1 still use ipfw as the underlying firewall? If so, then the "ipfw list" output I will be pasting in will be of use, if not then just ignore it.

Situation:
2 laptops, one a Dell Latitude D630 running XP with Cygwin's ssh as the ssh client, the other a MacBook Pro (unibody, 2008) running 10.6.1. Everything worked properly yesterday, but this morning when I tried to setup my SSH tunnel to run synergy ( http://synergykm.sourceforge.net/) through, it times out. I have changed nothing on either laptop. I upgraded to 10.6.1 days ago, so that can't be it either.

Settings for firewall/Remote Login on MBP:
  • In Sharing, Remote Login is the only thing checked and it is set to only allow my user
  • In Firewall, it is turned on
  • In Firewall-Advanced, Remote Login (SSH) is shown as allowed
  • In Firewall-Advanced, iStatLocalDaemon, sshd-keygen-wrapper, and synergys are blocked (synergys is blocked because I want it to only allow connections on localhost which would include SSH-tunneled connections)
  • Enable stealth mode is checked
    Research done on the issue:
    (1) Turning off the firewall on the MBP allows the ssh client on the Dell to connect and ping.
    (2) Switching off/on the firewall and the Remote Login service on the MBP do not clear the issue and it is persistent through reboots.
    `ipfw list` output:
    At normal firewall settings (see above):
    33300 deny log icmp from any to me in icmptypes 8
    65535 allow ip from any to any
    With "Enable stealth mode" unchecked:
    65535 allow ip from any to any
    With firewall off completely:
    65535 allow ip from any to any
    Note that firewall off and firewall on without stealth mode are the same. If 10.6.1 still uses ipfw, my guess is something is wrong there, but if it does not still use ipfw, something is weird elsewhere.
    Any ideas?

15-inch MacBook Pro Core 2 Duo (2008 Unibody), Mac OS X (10.6.1)

Posted on Sep 24, 2009 6:21 AM

Reply
6 replies
User profile for user: jarrwlee
jarrwlee Author
User level: Level 1
8 points

Sep 24, 2009 6:32 AM in response to jarrwlee

The work-around:
  • Turn off the firewall
  • Start the SSH tunnel by running the following command in Cygwin on the Dell:
    <pre>ssh -f -N -L localhost:24800:(MBP IP):24800 (username on MBP)@(MBP IP)</pre>
  • Turn on the firewall
    Message was edited by: jarrwlee
    Message was edited by: jarrwlee (cleaned up the ssh command and corrected the Model/OS)
Reply
User profile for user: Courtney Bane
Courtney Bane
User level: Level 1
0 points

Sep 24, 2009 4:47 PM in response to jarrwlee

I'm seeing the same behavior. With the firewall turned on, I can't connect at all from other computers on my network, even though the firewall settings show that incoming connections to ssh are allowed. If I turn off the firewall, I am able to connect. I don't recall if I ever tried to ssh in when I was running 10.6.0, so I don't know if this is a new issue for 10.6.1.
Reply
User profile for user: jarrwlee
jarrwlee Author
User level: Level 1
8 points

Sep 24, 2009 5:25 PM in response to Courtney Bane

What's weird is that I installed 10.6.1 on the 13th, 11 days ago, but up until this morning, SSH/firewall worked correctly. The only major change that I can find between yesterday morning and this morning is the iTunes 9.0.1 update that I installed last night, just before 8:00. The only other thing I can think of is that I updated World of Warcraft and a few addons last night, but none of those do anything with the firewall beyond the updater whining about being behind a firewall.
Reply
User profile for user: Tim Haigh
Tim Haigh
User level: Level 7
24,198 points

Sep 24, 2009 6:52 PM in response to jarrwlee

First of all, does 10.6.1 still use ipfw as the underlying firewall? If so, then the "ipfw list" output I will be pasting in will be of use, if not then just ignore it.


No IPFW since snow leopard it set to allow everything to everything, except if you enable stealth mode in the application firewall.

The firewall in leopard and snow leopard was superseded by an application firewall but ipfw is still there if you want to customise your IP firewall.

So to turn on your firewall again. but check in your application firewall in the advanced window that you have listed in your list of allowed apps

sshd-keygen-wrapper



initiate and ssh connection into the mac using verbose options

ssh -vvv server

then see if that show you some clues as to what is blocking.

also on the mac open the console utility in /Applications/Utilities and browse the log

appfirewall.log

see if that shows you any clues.
Reply
User profile for user: jarrwlee
jarrwlee Author
User level: Level 1
8 points

Sep 25, 2009 5:50 AM in response to Tim Haigh

As Tim suggested, I allowed sshd-keygen-wrapper, it was denied when it worked before, and it still didn't work, so I removed everything, except Remote Login, and rebooted. On login it asked whether or not sshd-keygen-wrapper could have access to the network and listen for things. This time I allowed it on boot and things started working. I know, without a doubt in my being, that sshd-keygen-wrapper was set to deny before, so I don't know if allowing it or if rebooting again happened to cause it to start working. I'll keep an eye on it in the future and possibly even try changing settings to see if I can find exactly what has caused this to occur.

Message was edited by: jarrwlee - I changed the ambiguous "you" to "Tim" to clarify.
Reply

Remote Login (SSH) blocked at firewall regardless of settings

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up