11 Replies Latest reply: Dec 9, 2019 10:44 AM by Steven Davidson RSS

    understanding established connections

    Matt

      Ok, i have a concept that i am trying to understand.

       

      If i use an sftp client, put in a hostname to a known server out in the public world, use port 22 and hit connect, my pc from a random port, sends info to router, it then translates it to a public ip, sends it to the big giant web of routers/switches in the cloud, it then arrives at said sftp server, destined for port 22.

       

      on the way back is where i am confused. Why is it that a connection is made without a firewall blocking that incoming traffic? Is it because its an established connection now and the 3 way handshake has begun?

       

      Thanks

        • 1. Re: understanding established connections
          Martin

          yes, in nutshell, there are several types of firewalls; the one that applies here is called state-full firewall;  since you on the internal network are permitted to go out, and you have initialized connection to outside; traffic that is coming back to you is permitted.

           

          see Introduction to Firewalls - YouTube

          What are Firewalls? - YouTube

          • 2. Re: understanding established connections
            Matt

            Ok, perfect. this leads me to my next question of frustration.

             

            I have an SSH server at home. it worked perfect when i had xfinity internet. We had to switch to CenturyLink and nothing works for the ssh server. I have turned off all firewalls, including the routers firewall and win 10 firewall, and still no go.

             

            Now, i did do a port forward for tcp 25565, tested a game server, and it works just fine, BUT if i try SSH on ANY port, including the 25565, which is setup in the router as an allowed port.... the connection is never made to my server. No hits in the logs or anything. Even when i turn off all firewalls and virus scanners for 33 seconds, NOTHING. Im begining to think my ISP is blocking it at the protocol level on THEIR routers?

             

            EDIT: I can ssh to an outside server no issues, but i cant ssh into my own haha.

             

            thanks

            • 3. Re: understanding established connections
              Martin

              Comcast cable Internet is better then DSL one from CneturyLink.  I had them both.

              it is possible they are blocking.  so you have dsl modem with router and wireless hub.   have you tried putting your server in DMZ zone if there is such options ?

              • 4. Re: understanding established connections
                Matt

                Yes, i tried that:) i have tried so much stuff. I even called them haha, but their techs are not trained in this kind of environment. I even tried obfuscation and still no go.

                 

                xfinity has more freedom in my opinion, but i couldnt help that the campus switched... At least i have access to the router though haha

                 

                I can ssh into my firends server no problem, but not into my own haha.

                 

                So what my plan is now, i have a EC2 instance of ubuntu on an amazon VPS. I just got it. Im going to see if i can set up a reverse ssh and use the VPS as a relay back to my own home PC. This way, i can access my dang files while in class from ANY pc using a usb thumb drive and a SFTP client.

                 

                a workaround i have found, install hamachi on my server and then my laptop. Ican ssh this way or just map the drive. But if i were to be at school on one of their machines, or a library, im hosed haha

                • 5. Re: understanding established connections
                  Steven Davidson

                  Matt wrote:

                   

                  Ok, perfect. this leads me to my next question of frustration.

                   

                  I have an SSH server at home. it worked perfect when i had xfinity internet. We had to switch to CenturyLink and nothing works for the ssh server. I have turned off all firewalls, including the routers firewall and win 10 firewall, and still no go.

                   

                  Now, i did do a port forward for tcp 25565, tested a game server, and it works just fine, BUT if i try SSH on ANY port, including the 25565, which is setup in the router as an allowed port.... the connection is never made to my server. No hits in the logs or anything. Even when i turn off all firewalls and virus scanners for 33 seconds, NOTHING. Im begining to think my ISP is blocking it at the protocol level on THEIR routers?

                   

                  EDIT: I can ssh to an outside server no issues, but i cant ssh into my own haha.

                   

                  thanks

                  What make/model is the DSL router?

                  • 6. Re: understanding established connections
                    Matt

                    Its a zyxcel c3000z. Funny thing is, they have an option to turn on remote management via ssh, but BLOCK it haha. I even turned that on, made sure that the firewall had port 22, 47506, 25565, and 8022 open since i tried all of those ports for ssh. i do know the port forward operation is working because i tried exact same ports for a game server and it works just fine haha.

                     

                    thanks

                    • 7. Re: understanding established connections
                      Martin

                      what the heck is zyxcel c3000z 

                      • 8. Re: understanding established connections
                        Steven Davidson

                        It not working as you expect != they are blocking it.  Maybe you didn't configure it correctly.

                        • 9. Re: understanding established connections
                          Steven Davidson

                          Here's the help page for the "Advanced Settings" section.  Let's go through this and see what we can figure out:  https://www.centurylink.com/home/help/internet/modems-and-routers/zyxel-c3000z.html#advanced

                          • 10. Re: understanding established connections
                            Steven Davidson

                            Matt wrote:

                             

                            Its a zyxcel c3000z. Funny thing is, they have an option to turn on remote management via ssh, but BLOCK it haha. I even turned that on, made sure that the firewall had port 22, 47506, 25565, and 8022 open since i tried all of those ports for ssh. i do know the port forward operation is working because i tried exact same ports for a game server and it works just fine haha.

                             

                            thanks

                            Configure Remote Console on your ZyXEL C3000Z | CenturyLink Internet Help

                             

                            1.) Are you absolutely sure you tried the correct WAN IP address

                            2.) Did you try to access the WAN IP from behind a corporate firewall? (not recommended)

                            3.) If you want to access the modem via SSH then I wouldn't have tcp/22 in any kind of port forwarding configuration

                             

                            Make sure you have the correct IP address.  Tether to your LTE service on your mobile phone. Remove any port forwarding for tcp/22.  Then try to SSH into your DSL modem.

                            • 11. Re: understanding established connections
                              Steven Davidson

                              Also, if you can get an IPv6 prefix from CenturyLink then I would try SSH to the v6 address instead.  That should remove the complexities that might result from NAT and v4.