[vox-tech] SSH Troubles

Ken Herron kherron+lugod at fmailbox.com
Sat Jul 22 06:37:46 PDT 2006


Marc Elliot Hall wrote:
> On Fri, Jul 21, 2006 at 08:50:46AM -0700, Ken Herron wrote:
>   
>> Ken Herron wrote:
>>     
>>> Also, I've read that to port-forward an FTP server, the firewall has 
>>> to watch the FTP command channel, open holes for each data connection, 
>>> and maybe even modify some packets.
>>>       
>> Okay, see <http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html>, 
>> in particular "Why PORT Poses Problems for Routing Devices" and 
>> "Problems when the FTP Server is Listening on a Non-Standard Port 
>> Number". Now imagine your netgear thinks it's dealing with FTP and is 
>> doing that to your ssh sessions.
>>
>>     
> Not that I'm disagreeing with you about the router's possible confusion,
> but I'm not running an FTP server. ;-)
>   

I never said you were. You're running ssh over port 21, which is 
normally the ftp command channel port. So the router might be applying 
its ftp forwarding support to your ssh traffic and scrambling it in the 
process.

> I'll investigate further in this direction; however I don't think my 
> appliance is nearly smart enough to rewrite packet headers. It just 
> accepts inbound traffic on designated ports and passes it through 
> unmodified to the same port on a specified host on my network. 
>   

Netgear routers can  port-forward ftp. If you'd read the link above, 
you'll see that dumb packet forwarding isn't sufficient to port-forward 
ftp. So netgear routers almost certainly have logic to do the protocol 
monitoring and packet rewriting described.


More information about the vox-tech mailing list