Date: Thu, 12 Oct 2006 22:00:55 +0300 From: vladone <vladone@spaingsm.com> To: ipfw@freebsd.org Subject: Re: Problems with ipfw and ssh Message-ID: <116110828.20061012220055@spaingsm.com> In-Reply-To: <dab71e150610111453m39c6bdb8ia846b3c4b39c4e08@mail.gmail.com> References: <dab71e150610111453m39c6bdb8ia846b3c4b39c4e08@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Spiros, Thursday, October 12, 2006, 12:53:28 AM, you wrote: > Hi, > I am trying to configure a firewall using ipfw for a machine running FreeBSD > 5.4. > Without NAT. > I am nearly a newbie on this (since i never had time until now..) but still > i believe i understand exactly the > concepts and what needs to be done. > Except the manual page and chapter 26.1 in the handbook I am using good > references such as: > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > I need to connect remotely to the machine using ssh and this is where i get > the problem: > Initially i can connect properly using a normal user account. > When later i am trying to su to root it does nothing and the connection > closes. > I have ipfw enabled in the kernel to deny everything by default. > I have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules > and also other combinations, such as taking off setup and keep-state etc etc > which would then make my firewall stateless as far as i understood, which is > something i don't want anyway. > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > And here are related logs: > /* line from /var/log/messages */ > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied > /* /var/log/auth.log */ > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port > 1545 > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for > user from xxx.xxx.xxx.xx port 1545 ssh2 > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > xxx.xxx.xxx.xx: Connection reset by peer > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > xxx.xxx.xxx.xx: Operation timed out > Is it trying to write to a > socket? I cannot see what is trying to do and the permission is denied > (of course maybe it is in front of me..but..) > Could anyone please advice? > Thanks in advance > Spiros > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Isn't very clear. U can connect, and then when try to switch to root, your connection is lost? Or after some inactivity? Try firs to leave ipfw open, and test ssh to be shure that this one work right. Then use ipfw, i think that the right form for what u want is (acording with documentation): add 1000 check-state add 2000 allow tcp from any to any 22 in setup keep-state -- Best regards, vladone mailto:vladone@spaingsm.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?116110828.20061012220055>