From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 13 03:21:57 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9436416A407 for ; Fri, 13 Oct 2006 03:21:57 +0000 (UTC) (envelope-from mwjose@optusnet.com.au) Received: from mail25.syd.optusnet.com.au (mail25.syd.optusnet.com.au [211.29.133.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9329B43D5D for ; Fri, 13 Oct 2006 03:21:53 +0000 (GMT) (envelope-from mwjose@optusnet.com.au) Received: from maf (c220-237-188-186.frank1.vic.optusnet.com.au [220.237.188.186]) by mail25.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k9D3LpK3017589 for ; Fri, 13 Oct 2006 13:21:51 +1000 From: "Mark Jose" To: Date: Fri, 13 Oct 2006 13:21:49 +1000 Message-ID: <000001c6ee76$ba183ca0$0400a8c0@maf> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acbtf/jzDlq2RovxQI+5V8quzlmGfwAMDFFwAAfgJdAAHYfzcA== In-Reply-To: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Subject: RE: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 03:21:57 -0000 >I get this error when updating my firewall rules via ssh. Any current ssh >connections are dropped, but I'm able to reinitiate a new connection without >trouble. What you describe is expected activity when changing firewall rules. What isn't expected is the "Permission denied" bit. Can someone post their rules so we can check them out? -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Chris - WEBignite Sent: Thursday, 12 October 2006 5:30 PM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"