SSH Over IPV6 Possible Bug

ensō

New Member


Messages: 9

I've been trying to setup ssh exclusively over IPV6 but have run in to a few issues. These are the steps I'm following, theoretically this should just work. Which is why I'm baffled at this point. I researched a few guides going back to version 10.3 and the process seems to be as follows. However when I attempt to ssh in using my IPV6 addy I get this message... "ssh: connect to host port 22: Host is down" port 22 is clearly not down so I'm not sure what that even means. If I disable IPFW then I can log in but the interesting thing is IPFW is configured to accept ssh on port 22! I'm not sure if this is some sort of bug in 11 or if something has changed but I haven't been able to determine why IPFW is behaving differently from 10.3 to 11!

1./etc/ssh/sshd_config

Code:
Port 22
AddressFamily inet6
ListenAddress ::
AllowUsers username
2. /usr/local/etc/IPFW.rules

Code:
# allow outbound SSH traffic
$cmd 00280 allow tcp from any to any dst-port 22 out via $vif setup keep-state

# SSHguard puts offender addresses in table 22. Set up the table rule
# Please note the '\(22\)' syntax, necessary since it's run as shell command
$cmd 01000 deny ip from table\(22\) to any

# allow inbound ssh, mail. PROTECTED SERVICES: numbered ABOVE sshguard blacklist range
$cmd 56420 allow tcp from any to me dst-port 22 in via $vif setup limit src-addr 2
3. sysctl net.inet6.ip6.fw.enable=1
4. ssh username@ipv6_address

the last step isn't my literal ssh login info I wouldn't post that for obvious reasons but I've made an inactive IPV6 address for clarification. which is ssh fedora@2001:0db8:85a3:0000:0000:8a2e:0370:7334 | again this address is only an example IPV6 address and is not active.
 

ShelLuser

Son of Beastie

Reaction score: 1,714
Messages: 3,531

4. ssh user@::
Is that the literal command you used, because that would explain a lot. If you try to connect to a host you need to specify an address of some sort, which you didn't. You supplied a wildcard.

(edit):

This is comparable to trying ssh user@0.0.0.0 which is also a non-existing address.
 
OP
OP
E

ensō

New Member


Messages: 9

Is that the literal command you used, because that would explain a lot. If you try to connect to a host you need to specify an address of some sort, which you didn't. You supplied a wildcard.

(edit):

This is comparable to trying ssh user@0.0.0.0 which is also a non-existing address.
it was ssh fedora@2001:0db8:85a3:0000:0000:8a2e:0370:7334

That was just an example user=literal username and :: defers to the literal ipv6 address
 

ShelLuser

Son of Beastie

Reaction score: 1,714
Messages: 3,531

That was just an example user=literal username and :: defers to the literal ipv6 address
When asking for help always use full examples otherwise it's impossible for others to rule out possible causes.

Host down usually indicates that the host itself can be contacted but the service itself not. Have you tried using ping6 to ensure that the host is actually reachable?
 
OP
OP
E

ensō

New Member


Messages: 9

When asking for help always use full examples otherwise it's impossible for others to rule out possible causes.

Host down usually indicates that the host itself can be contacted but the service itself not. Have you tried using ping6 to ensure that the host is actually reachable?
My apologies. This is interesting it only works when IPFW is disabled? When I enable IPFW if get the following > "ping6: UDP connect: No route to host" However I though that IPV6 over tcp/udp didn't have to be explicitly stated in IPFW? On a side note I did explicitly add rules for IPV6 before making this post but had the same result. I read a guide for 10.3 that suggested this was not necessary. And the steps I initially listed were the way to go.
 
OP
OP
E

ensō

New Member


Messages: 9

When asking for help always use full examples otherwise it's impossible for others to rule out possible causes.

Host down usually indicates that the host itself can be contacted but the service itself not. Have you tried using ping6 to ensure that the host is actually reachable?
No answer? I've noticed you've corrected me on my semantics but haven't provided an answer to my question. It's not polite to waste peoples time with such things if you don't actually have any valuable information to contribute. Lets not turn this forum in to stack overflow. Their you have a bunch of idiots who instead of actually answering peoples questions comment on grammar and semantics and more often than not know little to nothing about the subject. When people are posting to forums they are looking for "ANSWERS" not lectures on semantics or grammar. I need an answer of how to properly setup IPFW to work with IPV6...

Right off the bat one could easily conclude I'm trying to use SSH over IPV6 with IPFW enabled. If you knew how this task was accomplished you would have just given me the technical information needed to do so... Step 4 is actually irrelevant the point is how to enable IPFW to allow ssh over IPV6. Step 4 is purely anecdotal... So do you actually have an answer or were you just wasting my time?


Kindest Regards​
 

ShelLuser

Son of Beastie

Reaction score: 1,714
Messages: 3,531

No answer?
You didn't provide enough information to give one.

It's not polite to waste peoples time with such things if you don't actually have any valuable information to contribute.
I fully agree. Just like it's not polite to simply ignore questions which were asked to try and gain the required information to try and find out what happened.

Your loss I'd say.

(edit): I just found the answer to my question in your rant, but I already lost motivation. You don't pay me to help you out, so getting impatient and ranting about it when someone doesn't answer you within x hours of time is a really good way to tick certain people off.

As said: I do this in my own time, and the moment people start demanding is the moment when I move on.
 
OP
OP
E

ensō

New Member


Messages: 9

You didn't provide enough information to give one.


I fully agree. Just like it's not polite to simply ignore questions which were asked to try and gain the required information to try and find out what happened.

Your loss I'd say.
The question is simple either you know how to properly configure IPFW to work with SSH over IPV6 or you don't! Even if the question was simply "How do you configure IPFW to use SSH over IPV6?"! You still haven't provided an "ANSWER" so I'm asking very politely do you actually know how to configure IPFW to use SSH over IPV6? I'm not trying to piss you off buddy but you're over complicating this tremendously. If you know the answer then please share it. It's just a simple technical question thats binary in nature because either you know how it works or you don't.

Coming from stack overflow where people constantly feel the need to critique everything but when it comes to actual "ANSWERS" and/or "SOLUTIONS" they come up short every time. This is mainly due to the fact the vast majority of those idiots have no actual knowledge or understanding about anything... This field is defined by 2 types of people the people who provide solutions and people who waste time. I never waste someones time with b.s. if I haven't got an answer I keep my mouth shut. Conversely if I actually know the answer I consider it an honor and a privilege to pass that knowledge on to make someone else life easier.

Please tell me what vital details you're missing? I've given you all of the necessary information pertaining to sshd_config IPFW.rules and my configuration... If you can't solve the problem using that information then you're clearly on the wrong forum this isn't a forum for windows server. I've provided you with everything you need to understand my problem. You know the basis of what I'm trying to accomplish and thats to configure IPFW to use SSH over IPV6... So logically you could have just started with the necessary IPFW rules to enable SSH over IPV6....?

Let me put it this way! How would you configure IPFW to use SSH over IPV6? Is that simple enough for you?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,371
Messages: 29,907

I don't use IPFW but a lot can be learned from reading the ipfw(8) man pages.

Code:
# allow inbound ssh, mail. PROTECTED SERVICES: numbered ABOVE sshguard blacklist range
$cmd 56420 allow tcp from any to me dst-port 22 in via $vif setup limit src-addr 2
Take note of the me keyword:
Code:
             me      matches any IP address configured on an interface in the
                     system.

             me6     matches any IPv6 address configured on an interface in
                     the system.  The address list is evaluated at the time
                     the packet is analysed.
So the above rule only allows IPv4. If you also need to allow IPv6 you will need to create specific rules for it.
 
OP
OP
E

ensō

New Member


Messages: 9

I don't use IPFW but a lot can be learned from reading the ipfw(8) man pages.

Code:
# allow inbound ssh, mail. PROTECTED SERVICES: numbered ABOVE sshguard blacklist range
$cmd 56420 allow tcp from any to me dst-port 22 in via $vif setup limit src-addr 2
Take note of the me keyword:
Code:
             me      matches any IP address configured on an interface in the
                     system.

             me6     matches any IPv6 address configured on an interface in
                     the system.  The address list is evaluated at the time
                     the packet is analysed.
So the above rule only allows IPv4. If you also need to allow IPv6 you will need to create specific rules for it.
Thank You Kindly Sir!
 
Top