PHWinfo - Afficher un message - Reverse port forwarding: Connection refused

02/11/2006, 21h25

In article <pan.2006.11.02.14.40.10.844643@liburg.de> "Felix E. Klee"
<fk@liburg.de> writes:

>We've the following setup:

[incredibly complex description snipped:-)]

>Any idea why method B for accessing 1.b from 2.a may be failing?

From 'man sshd_config':

GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client. By default, sshd binds remote port
forwardings to the loopback address. This prevents other remote
hosts from connecting to forwarded ports. GatewayPorts can be
used to specify that sshd should bind remote port forwardings to
the wildcard address, thus allowing remote hosts to connect to
forwarded ports. The argument must be ``yes'' or ``no''. The
default is ``no''.

It seems this has been changed from the default to 'yes' on nat.a but
not on 1.a.

> It'd be
>our preferred method since 1.b:22 would then not be accessible from the
>Internet.

I assume you mean "nat.a:22" (confusing with all those made-up names,
isn't it?:-). With both methods, 1.b:22 need to be accessible only from
localhost.

>I must be missing something obvious. So far, I didn't find anything
>interesting in the logs.

Since it's a TCP/IP level rejection (i.e. an attempt to connect to an
address:port where nothing is listening), sshd isn't even aware of it.

--Per Hedeland
per@hedeland.org

02/11/2006, 21h25	#3
Per Hedeland Messages: n/a Hébergeur:	Re: Reverse port forwarding: Connection refused In article <pan.2006.11.02.14.40.10.844643@liburg.de> "Felix E. Klee" <fk@liburg.de> writes: >We've the following setup: [incredibly complex description snipped:-)] >Any idea why method B for accessing 1.b from 2.a may be failing? From 'man sshd_config': GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should bind remote port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ``yes'' or ``no''. The default is ``no''. It seems this has been changed from the default to 'yes' on nat.a but not on 1.a. > It'd be >our preferred method since 1.b:22 would then not be accessible from the >Internet. I assume you mean "nat.a:22" (confusing with all those made-up names, isn't it?:-). With both methods, 1.b:22 need to be accessible only from localhost. >I must be missing something obvious. So far, I didn't find anything >interesting in the logs. Since it's a TCP/IP level rejection (i.e. an attempt to connect to an address:port where nothing is listening), sshd isn't even aware of it. --Per Hedeland per@hedeland.org