SSH Tunnel yielding "administratively prohibited: open failed" after a few hours
Solution 1
I've seen the same message when trying to do a port forward to an unreachable destination:
ssh example.com -L 1337:example.invalid:80
telnet localhost 1337
[email protected]:~$ channel 3: open failed: administratively prohibited: open failed
Solution 2
“Administratively prohibited” is also one of the ICMP control messages. Is it possible a router between the SSH server and the tunnel destination is sending this?
If sniffing is possible, a simple pcap filter with just icmp
can show you all ICMP traffic.
Related videos on Youtube
Ismail Degani
Updated on September 17, 2022Comments
-
Ismail Degani over 1 year
Given that generic types create separate instances of static fields per-type combination, is this a valid pattern to use if I want to have a static field across all types?
public class BaseClass { public static int P = 0; } public class ChildClass<T> : BaseClass { public static int Q = 0; public void Inc() { // ChildClass<int> will have a different "Q" than ChildClass<double> Interlocked.Increment(ref Q); // all types of ChildClass will increment the same P Interlocked.Increment(ref P); } }
Is there anything unsafe about this approach? My toy example works, but I just wanted to make sure there are no horrible side effects, threading consequences, etc :)
-
Chris Sinclair about 11 yearsOnly real unsafe part about it is the incrementation (as it is now) which will not be threadsafe. EDIT: Also, I'm assuming you'd want to control get/set access (do you want it to be publically settable, or only increment privately within the
Inc
method?) -
Ismail Degani about 11 yearsHaha good point. I have to be less careless with my example. Assume Interlocked something or other please
-
Ismail Degani about 11 yearsThe actual problem I'm dealing with is that I want a single threadsafe queue, but the class that adds things to this internal queue is generic. So the "value" will not be publicly settable.
-
Chris Sinclair about 11 yearsThen yeah, no real issues I think. Just remember that
<T>
will be unique for any particular subclass or interface used. SoChildClass<Stream>
will have a differentQ
thanChildClass<MemoryStream>
, same withChildClass<IEnumerable>
andChildClass<ArrayList>
. -
Chris Sinclair about 11 yearsNot sure if I follow exactly what you're saying there Ismail. Perhaps you can post the code that you're thinking of and then we can comment on thread-safety?
-
Chris Sinclair about 11 yearsI guess specifically about your question, no, there are no terrible side effects about this. So long as you understand about uniqueness of
Q
with respect toT
, then it's perfectly valid to take advantage of static members within generic classes like this. Probably the most significant is if you were to create a locking object onChildClass<T>
(likeprivate static object LockingObject = new Object()
) you need to recognize that the lock will not be shared between different concreteChildClass<T>
types. If you need a shared lock, you need to define the object onBaseClass
. -
jam40jeff about 11 years
P
does not need to be in a base class ofChildClass<T>
since it is static. You could just do:public static class ChildClass { public static int P; }
and reference it asChildClass.P
. Also, you should not initializeint
s to 0, as it is the default value for a field anyway. -
Admin over 10 yearsdid you ever find the solution to this?
-
Admin over 10 years@sybind No, but I continue using ssh -D a lot, without any problem now. Do you experience it ? Which version ? Only a few drops ?
-
Admin over 10 yearsI did have this problem, somehow fixed it, then I ran into another wall with setting up the routes between the two hosts. The fix may have been related to setting a static arp cache entry..
-
Admin over 6 years
-D *:1080
does not mean what you think it means. You should replace that with-D '*:1080'
or just-D :1080
. -
Admin over 6 years@kasperd what do you think
-D *:1080
means? -
Admin over 6 years@Mandark First of all it will look for all files in the current directory whose name ends with
:1080
. If no such file exists there will be three different behaviors depending on how your shell is configured. If one or more files matching the pattern the behavior will depend on how those files are named. It could even change which server you are logging in to. -
Admin over 6 years@kasperd Thanks for this instructive paragraph. But as my ssh process is working for a few days before starting to slowly break, I don't think it can be related to a path expansion problem. I also don't use nullglob, and don't have any file ending with :1080 but will change in my question to clarify if anyone read it. Thanks again.
-
Admin over 6 yearsBTW I asked this 7 years ago, and no longer use -D as a daily basis, so I do no longer enconter this bug, which may be fixed since. So if anyone get the exact same symptoms it still make sense, else it does no longer make sense.
-
-
Latif almost 14 yearsI'll check the memory server-side the next time, and wrote it here. The bad link idea : I think not as if i restart the ssh, it works well again
-
Latif almost 14 yearsNew one this day, checked client and server health (cpu, memory, logs) nothing particular.
-
Will Dixon almost 14 yearsI never said it was :)
-
Ismail Degani about 11 yearsThanks for the answer, but the question was more about the inheritance / singularity of the static field, not really anything to do with the actual incrementing of an int. I'll update my question with your interlocked code.
-
Dave Clarke over 6 years@Andrew This saved me!