firewall blocks ssh since Sept 12 update

Forgive me to not post an answer at all, but to put more weight on the issue:

I experience the very same problem on 10.7.2.

The only thing I can spot ist in /var/log/appfirewall.log, where entries like the one here show up:

Oct 24 23:47:14 <my_remote_mac> Firewall[737]: Deny sshd-keygen-wrapper connecting from <my_local_ip>:52358 to port 22 proto=6

If I disable the AppFirewall, everything fine.

I can not say at what point in time this showed up, there have been lots of updates lately...

One change I applied to the system concerned was Filevaulting it a few days ago... but hey, this can't possibly be related, can it?

Clean reinstall rises as an option here, but I'd really like to know what's going on here...

Same problem over here:

Jan 18 11:22:03 euler Firewall[16889]: Deny sshd-keygen-wrapper connecting from 131.188.33.194:36999 to port 22 proto=6

Turning the firewall off solves the problem.

Is there any way of conveniently viewing the firewall rules? pfctl -vvvsr doesn't help because it only shows

@0 anchor "com.apple/*" all

Any help would be appreciated.

-Johannes

Okay, I just found out you have to query anchor rules with a special switch (-a).

I just found out there is no entry for SSH which should read something like

"pass in on inet proto tcp from any to any port ssh keep state"

euler:~ dr$ sudo pfctl -a "com.apple/100.InternetSharing" -vvvsr

No ALTQ support in kernel

ALTQ related functions disabled

euler:~ dr$ sudo pfctl -a "com.apple/250.ApplicationFirewall" -vvvsr

No ALTQ support in kernel

ALTQ related functions disabled

@0 block drop in inet proto icmp all icmp-type echoreq

[ Evaluations: 306 Packets: 0 Bytes: 0 States: 0 ]

[ Inserted: uid 0 pid 33285 ]

@1 block drop in inet6 proto ipv6-icmp all icmp6-type echoreq

[ Evaluations: 228 Packets: 0 Bytes: 0 States: 0 ]

[ Inserted: uid 0 pid 33285 ]

So I think I found the problem:

euler:pf.anchors dr$ sudo pfctl -a '*' -sr

No ALTQ support in kernel

ALTQ related functions disabled

anchor "*" all {

pfctl: DIOCGETRULES: Invalid argument

}

The pfctl error mainly occurs when the userland pfctl binary and the pf kernel interface are out of sync.

I had the same problem on my wife's Macbook Pro even though mine worked fine (both running 10.7.3). Remote Login was enabled in Sharing and allowed in the Firewall but I couldn't ssh to her machine. I looked in the Advanced Firewall settings and Remote Login was there at the top and set to allow incoming connections. I then scrolled down the list of other connections and at the very bottom was sshd-keygen-wrapper that was set to not allowed. Setting this to allow made remote ssh work again for me. The strange thing is that on my Macbook Pro, I don't even have this entry. To test further, I deleted from her allowed list and ssh stopped working. I had to add it back to make it work and it's located in /usr/libexec/ so you have to use CTRL-CMD-G to get there in the file dialog. Hope this helps someone else.

Same problem suddenly cropped up using 10.7.4. When I checked suddenly sshd-keygen-wrapper was blocked in the firewall settings. I'm not sure what process disabled this.

This worked for me as well. For some reason sshd-keygen-wrapper was marked as "Block incoming connections". Enabling it fixed the problem for me.

Thank you very much to whoever posted about turning on ssh-keygen-wrapper. That fixed my problem on 10.10 and ssh+sftp into my Mackbook. V grateful for this! Tony Rollett