Date: Tue, 23 Aug 2005 16:27:49 -0600 From: Pat Maddox <pergesu@gmail.com> To: Alexander Leidinger <Alexander@leidinger.net> Cc: Stephen Major <smajor@gmail.com>, remko@freebsd.org, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Security warning with sshd Message-ID: <810a540e05082315273c897618@mail.gmail.com> In-Reply-To: <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> References: <430b138a.7c0e796e.1155.547a@mx.gmail.com> <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey guys, thanks for the help so far. I'm going to post this to the
freebsd-pf list to see if anyone has any ideas...but I'm using PF, and
here's the config. Hopefully you can take a look and see what the
problem may be. As I said earlier, I'm not positive why I'm getting
those errors, but I believe it's because my SSH connection is getting
cut off whenever I enable the firewall. I've also been looking for a
way to not be cut off (since it's very annoying), and it seems like
figuring out and correcting these errors will also fix the second
problem.
# ------- pf.conf skeleton for server
#
# --------------- MACRO Section -----------------
EXT_IF=3D"fxp0"
PING =3D "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN =3D "{ 3000, ssh, ftp, smtp, domain, pop3, imap, http, https,
3690, 5001, 5002, 5003, 5004, 5005 }"
UDP_IN =3D "{ domain, 3690 }"
# --- allowed services initiated by server
TCP_OUT =3D "{ ssh, smtp, ftp, domain, http, https, ntp, 5999 }"
UDP_OUT =3D "{ domain, ntp }"
# ------------------ TABLE Section --------------
# ------------------ OPTIONS Section
set loginterface $EXT_IF
# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)
# ---------- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D INC=
OMING =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# ----------- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
$PING keep state
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D OUT=
GOING =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# ----------- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# ----------------- end of pf.conf
On 8/23/05, Alexander Leidinger <Alexander@leidinger.net> wrote:
> Stephen Major <smajor@gmail.com> wrote:
>=20
> > The issue he is having I had the exact same problems, as soon as I chan=
ged
> > my config to the one below poof no more problems. You can set your fire=
wall
> > however you want. I was just saying what gets rid of the problem he is
> > having with ssh.
>=20
> I wasn't commenting the ssh issue, since it isn't clear why the problem
> exists. At least I haven't seen a problem analysis where the cause of thi=
s
> was shown. Maybe I missed it. So your posting may be the right solution o=
r
> not. I don't know yet, and I don't care about this in this mail, since I
> wasn't talking about the ssh issue (see below).
>=20
> > So instead of ripping apart what I have said why do you not provide a b=
etter
> > solution to the original question asked.
>=20
> I wasn't ripping apart what you said. I just wanted to be helpful and sha=
re a
> little bit of knowledge. You're mixing stateful with non-stateful rules a=
nd
> this may result in unwanted packets traveling through the firewall. I
> thought you (and maybe others) may be interested in this.
>=20
> BTW.: in some environments this is a hole in the firewall and needs to be
> fixed, so one shouldn't use this part of your example. Since the security
> mailinglist is in the CC, we can't let this problem be uncommented.
>=20
> Another helpful suggestion: Please don't quote everything and please writ=
e
> your comments below the parts where they belong. This is common behavior =
in
> the FreeBSD lists and doing the opposide will result in less (useful)
> responses from some members of the lists (because it makes the mail harde=
r
> to read and people may decide to not spend the time to read the mail and
> point out problem solutions or small bugs in your offering of a solution)=
.
>=20
> Bye,
> Alexander.
>=20
> --
> http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7
> http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
> To add insult to injury.
> -- Phaedrus
>=20
>=20
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e05082315273c897618>