Configuring Firewall for Trusted Zone SSH Access

Discussion in 'ESET Smart Security' started by madjack59, Feb 3, 2011.

Thread Status:
Not open for further replies.
  1. madjack59

    madjack59 Registered Member

    Joined:
    Feb 3, 2011
    Posts:
    4
    I'm currently evaluating the ESET Smart Security 4.2.71.2 on a Windows 7 64-bit workstation.

    It works as expected, except that I've been unable to figure out how to configure it to allow SSH access to a Git host running on a Linux server.

    Here's what I enter and what I get in response with the firewall enabled:

    $git pull origin
    ssh: nereid: no address associated with name
    fatal: The remote end hung up unexpectedly

    I then added a rule for allowing SSH (port 22) to the particular server's IP address and have rules to allow incoming and outgoing NetBios requests to computers in the Trusted Zone defined to include the subnet 192.168.2.0/255.255.255.0.

    Same error.

    I even went so far as adding an rules to Allow incoming and outgoing TCP & UDP access via all ports (0-65535), as well as ICMP, with any computer in the Trusted Zone.

    Same error.

    I then disable the firewall and GIT access works fine.

    So clearly I'm missing something... though I think it really shouldn't be this hard. :)

    jack
     
  2. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
  3. madjack59

    madjack59 Registered Member

    Joined:
    Feb 3, 2011
    Posts:
    4
    Dmaasland,

    Thanks for the response. Before trying your suggestions, I added the server name to my HOSTS file on a suggestion from a peer.

    That seemed to resolve the original "ssh: nereid: no address associated with name" issue. (Basically, I just worked around whatever the firewall was blocking.) However, that still didn't solve the problem completely, as I was now getting the following error after entering the GIT pull command:

    $git pull origin
    ssh: connect to host nereid port 22: Bad file number
    fatal: The remote end hung up unexpectedly

    I confirmed SSHD was running on the server. After turning off the firewall, the issue went away.

    So I followed your first suggestion, turning on logging. However, nothing shows up in the log. I double checked the Setup to confirm that the "Log all blocked connections" checkbox was selected. I got the same "ssh: connect to host nereid port 22: Bad file number" error. I disabled the firewall and the error goes away.

    As for your second suggestion, I already was using Interactive mode. However, I'm never prompted for a decision when attempting the GIT Pull command via SSH. It simply fails with the error(s) I've described.

    My evaluation of ESET Smart Security is starting to take shape. :)

    At this point, I'm thinking it may not be the tool for my needs. I already have a firewall appliance guarding the WAN connection to my network, so a local, per-workstation software firewall is not an absolute requirement. It was just an extra layer of protection I thought would be useful. However, if I have to keep disabling it to get my work done, it may be more trouble than it's worth for my needs.

    I'll wait another day or so to see if any more suggestions are available. If I can't get it resolved, I'll move on to explore other options.

    jack
     
  4. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Perhaps it would be helpful to know more about the network structure at this point. Is it a remote server? What about routers etc? I'm personally using ESS 4.2.71 with a lot of SSH / GIT and it worked for me without any configuration to be honest, do you have SSL scanning enabled?
     
    Last edited: Feb 4, 2011
  5. madjack59

    madjack59 Registered Member

    Joined:
    Feb 3, 2011
    Posts:
    4
    I'm sorry to keep this thread going, but I've had no luck getting ESET Security configured to allow SSH access to/from a server in my trusted zone.

    In the Zone & Rule Setup editor, I have:

    Action: Both ways
    Protocol: TCP & UDP (can this be TCP only?)
    Address: 192.168.2.207 (this is in trusted zone 192.168.2.0/255.255.255.0)
    Local Port: SSH (22)
    Remote Port: SSH (22)
    Application: All

    BTW, SSL Scanning is off.

    When I attempt a push/pull via GIT, after about 30 seconds, I get:

    ssh: connect to host nereid port 22: Bad file number
    fatal: The remote end hung up unexpectedly

    Yes, I have a firewall appliance (SonicWall). No, it's not the problem. How do I know?

    I set ESET to "Do Not Filter Network Traffic (Disable Firewall)" and SSH access works fine. ESET firewall on, SSH doesn't work. ESET firewall off, SSH works fine.

    I'd really like to get this resolved so I can stop manually disabling/enabling the firewall whenever I have to do a GIT push/pull using SSH.

    jack
     
  6. Echofig

    Echofig Registered Member

    Joined:
    Jun 17, 2009
    Posts:
    10
    Your local port will not be 22. This will be a random numberd port above 1024.

    Try something like this

    Direction: Out
    Action: Allow
    Proto: TCP
    Profile: For every

    Remote side:
    IP address: your server IP address
    Zone: Trusted zone
    Port: SSH (22)

    Local Side:
    Port range: 1025 - 65535
    Application: C:\Program Files (x86)\Putty\putty.exe
     
Thread Status:
Not open for further replies.