Thanks all for the numerous thoughtful replies, both on and off list.<br><br>> the URL to use to get to the management and diagnostic console on my 2wire box<br>Per my earlier post with all the details (which I now see never made it through to the list) I am running the new uVerse 3801HGV router. This router does not have the /mdc menu. AT&T third level tech support and the manufacturer both confirmed that they no longer support extended features in AT&T specific routers.<br>
<br>> Any chance AT&T blocks incoming port 22<br>Scott, good ideas there. I can confirm that AT&T is not blocking the SSH port as my router's firewall log is showing the incoming packets and admitting to dropping them. See the log excerpt at the bottom of the initial email in this chain:<br>
<table><tbody><tr><td>INF</td>
<td>2013-07-26T20:15:42-07:00</td>
<td>fw</td>
<td>src=162.200.153.165 dst=172.28.1.2 ipprot=6 sport=40058 dport=22 Session Matches User Pinhole, Packet Passed</td>
</tr>
<tr>
<td>INF</td>
<td>2013-07-26T20:15:42-07:00</td>
<td>fw</td>
<td>src=162.200.153.165 dst=172.28.1.2 ipprot=6 sport=40058 dport=22 Drop traffic to <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a></td></tr></tbody></table><br>This shows that the packets are getting through to the 3801, that it is recognizing that I have defined a pinhole rule to pass port 22 traffic on to 172.28.1.2 and that it is dropping all traffic to the entire 172.16/12 subnet from the second packet on.<br>
<br>> it's not clear from your original email if you trying to ssh inbound to your house or outbound<br>Claude, yes I am trying to get inbound SSH traffic to pass through the router to my SSH host.<br><br>>What has changed since you were last able to use ssh?<br>
My current DSL modem (a 2wire 2701HG) died. AT&T would not support fixing it, my only options were to purchase a new DSL router from a third party or take advantage of a fabulous and unique opportunity to switch over to uVerse for a $26/month discount. It turned out that tripling my bandwidth reduced my Internet monthly bill by $5/mo the second year and $30/mo the first so I decided (against all previous experience) to give it another go.<br>
<br>> Setting up OpenWRT or DD-WRT or some such and bridging it to the 2Wire will give you MUCH nicer firewalling options.<br>Yeah, I am running a large Cisco router behind the AT&T DSL. It fronts 52 ports of gigE, 8 ports of VOIP and lots of other features. Unfortunately I don't have a Cisco account for $n,000 per year so I can't download the firmware that includes firewall functionality. I am stuck using the 2wire for my firewall, not at all the best solution. I also have 2 great FireBox firewalls, but they again require a $n00/mo firewall update service to make functional...<br>
<a href="http://www.watchguard.com/products/?gclid=CPmQzMba3bgCFWXZQgod-XIAjQ">http://www.watchguard.com/products/?gclid=CPmQzMba3bgCFWXZQgod-XIAjQ</a><br><br>If anyone has experience with the fireboxes and wants to help me get one working in trade for the second one please feel free to drop me a line.<br>
<br>> Also, ssh -vv is often helpful.<br>Thanks Rae. Unfortunately I am using ConnectBot from my tablet to test the connection, I don't know how to offer it flags. I don't see anything in connection or application settings here. I tried to use my (again braindead) ISP to bounce SSH but they don't support outgoing SSH connections. (Doh!)<br>
<br>I set up my laptop to VPN from my home network into work, then transferred to another server up in the bay area, bounced through an east coast data center then back to my home using the -v flag in SSH. It just confirmed that ddns is working and that nothing is getting past the firewall.<br>
<br>So no luck so far... :(<br><br>Matt<br><br><div class="gmail_quote">On Thu, Aug 1, 2013 at 10:30 AM, Christopher Smith <span dir="ltr"><<a href="mailto:cbsmith@gmail.com" target="_blank">cbsmith@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">FYI, most 2Wire products have a feature of bridging to another router. Setting up OpenWRT or DD-WRT or some such and bridging it to the 2Wire will give you MUCH nicer firewalling options.<div>
<br></div><div>
I didn't see mention of which model of 2Wire router you have. That would make it much easier to help you out.</div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Wed, Jul 31, 2013 at 3:53 PM, Claude Felizardo <span dir="ltr"><<a href="mailto:cafelizardo@gmail.com" target="_blank">cafelizardo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Okay, it took me a while to figure out how to access my DSL modem at home remotely - I have an entry in my .ssh/config to forward port 9001 to the router, but I couldn't remembered the URL to use to get to the management and diagnostic console on my 2wire box (It was localhost:9001/mdc which was in my bookmarks of course!)<div>
<br></div><div>Anyway, I'm not seeing my port 22 attempts to log in so it's still blocked presumably by the modem. With my old netgear RT311 router I used to log everything but lost that ability when I "upgraded" to a 2wire DSL modem/router from my original Alcatel modem. </div>
<div><br></div><div>Hmm, looks like I'm seeing some syn/fin ddos attacks I'll have to investigate. But I see the ipprot=6 that was mentioned in the original post but I believe that means IP protocol 6 which is TCP, not to be confused with IPv6. ipprot=1 is used by ping and traceroute, ipprot=17 is UDP.</div>
<div><br></div><div>I was going to try and add port 22 for a short test but I don't remember how to edit the "applications"? I can see that I have defined custom services for my port knocking ports, weather station and others, how to create new ones but dont see an option to edit.</div>
<span><font color="#888888">
<div><br></div><div>Claude</div></font></span><div><div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Wed, Jul 31, 2013 at 12:59 PM, Claude Felizardo <span dir="ltr"><<a href="mailto:cafelizardo@gmail.com" target="_blank">cafelizardo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Matt, it's not clear from your original email if you trying to ssh inbound to your house or outbound.<div>What has changed since you were last able to use ssh? Server at home? Different ISP or switched to Uverse from something else like DSL or cable?</div>
<div><br></div><div>I long ago decided to block port 22 and use a non standard port that will only work from specific hosts/domains using a combination of shorewall and /etc/hosts.allow. I also use port knocking if I want to connect from unexpected sites. Never got around to setting up automatic blacklists for DDoS attacks as I haven't had any problems (knock on wood).</div>
<span><font color="#888888">
<div><br></div><div>Claude</div></font></span><div><div><div><br></div><div><br><div class="gmail_quote">On Wed, Jul 31, 2013 at 12:40 PM, Scott Packard <span dir="ltr"><<a href="mailto:spackard@gmail.com" target="_blank">spackard@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Any chance AT&T blocks incoming port 22, but would allow it if you phoned and asked for it to be enabled?<br>
<br></div>Back when I used their DSL, they allowed, then without notice blocked, inbound port 25. Later, they said I could have phoned them and asked for it to be unblocked, but by then I'd had enough.<br>
<br></div>Regards, Scott<br></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 31, 2013 at 12:09 PM, Matthew Campbell <span dir="ltr"><<a href="mailto:dvdmatt@gmail.com" target="_blank">dvdmatt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p>Thanks Dan. Unfortunately AT&Ts new modems have had all useful features castrated. I spent hours looking, talking to techs and eventually to the manufacturer to verify that menu no longer exists.</p>
<p>Rae, thank you for the ideas, I'll give it a shot tonight. I am using SSH from an IPv4 only platform, but with current security paranoia I don't think I can verify that AT&T is not routing me over IPv6 on the way. I don't know of a way to hook up a laptop outside the firewall to test.</p>
<p>Does anyone know if uVerse is IPv6 only?</p>
<p>Matt<br>
</p>
<div class="gmail_quote">On Jul 29, 2013 7:10 PM, "Dan Buthusiem" <<a href="mailto:dan.buthusiem@gmail.com" target="_blank">dan.buthusiem@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">What are the model and firmware for your router? There used to be a hidden menu in the 2701 HG-B, but the firmware still ignored those settings, anyway. My experience with 2Wire is that they make their products with AT&T's desires in mind, which comes at the expense of anyone with any amount of technical know-how who may be stuck using their products. YMMV. That being said, I'll take a stab anyway. :)</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 29, 2013 at 5:36 PM, Rae Yip <span dir="ltr"><<a href="mailto:rae.yip@gmail.com" target="_blank">rae.yip@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Double-check that your ssh client isn't attempting to use IPv6 or something. (Note the ipprot=6 in your logs)</p>
<p dir="ltr">Also, ssh -vv is often helpful.</p><span><font color="#888888">
<p dir="ltr">-Rae.</p></font></span><div><div>
<div class="gmail_quote">On Jul 29, 2013 4:48 PM, "Lakestake Rocketry" <<a href="mailto:lakestake@gmail.com" target="_blank">lakestake@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Good afternoon,<br><br>I am trying to get SSH through my firewall at home. I have set up a port redirect to senge, but I get a timeout when I connect to the port with ssh. The following messages appear in the firewall log. It looks like the first packet is being passed through, then following packets are being blocked... Any ideas? All Google gives me is a long list of people with similar problems.<br>
<br clear="all"><div>Matthew Campbell</div>
<br><br><div class="gmail_quote">---------- Forwarded message ----------<br><table><tbody><tr><td>INF</td>
<td>2013-07-26T20:15:42-07:00</td>
<td>fw</td>
<td>src=162.200.153.165 dst=172.28.1.2 ipprot=6 sport=40058 dport=22 Session Matches User Pinhole, Packet Passed</td>
</tr>
<tr>
<td>INF</td>
<td>2013-07-26T20:15:42-07:00</td>
<td>fw</td>
<td>src=162.200.153.165 dst=172.28.1.2 ipprot=6 sport=40058 dport=22 Drop traffic to <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a></td></tr></tbody></table><div><br></div>
</div><br>
</blockquote></div>
</div></div></blockquote></div><br></div>
</blockquote></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Chris
</font></span></div>
</blockquote></div><br>