Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Aug 2005 10:29:09 +0200
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Pat Maddox <pergesu@gmail.com>
Cc:        Stephen Major <smajor@gmail.com>, remko@freebsd.org, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Security warning with sshd
Message-ID:  <20050824102909.c370l4o9dcs8sog0@netchild.homeip.net>
In-Reply-To: <810a540e05082315273c897618@mail.gmail.com>
References:  <430b138a.7c0e796e.1155.547a@mx.gmail.com> <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> <810a540e05082315273c897618@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Pat Maddox <pergesu@gmail.com> wrote:

> Hey guys, thanks for the help so far.  I'm going to post this to the
> freebsd-pf list to see if anyone has any ideas...but I'm using PF, and
> here's the config.  Hopefully you can take a look and see what the
> problem may be.  As I said earlier, I'm not positive why I'm getting
> those errors, but I believe it's because my SSH connection is getting
> cut off whenever I enable the firewall.  I've also been looking for a
> way to not be cut off (since it's very annoying), and it seems like
> figuring out and correcting these errors will also fix the second
> problem.

You have to enable the firewall before you use ssh.

A stateful firewall can't know about connections which get setup before the
firewall is started. Since the firewall starts with a clean state, it has to
assume that no connection is valid and blocks every already established
traffic.

So the behavior you see is what you requested from the system by starting the
firewall after starting a ssh session. There's no need to be scared, it's not
a security flaw, but you have to change your expectations.

Bye,
Alexander.

-- 
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137
Don't you feel more like you do now than you did when you came in?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050824102909.c370l4o9dcs8sog0>