From owner-freebsd-questions@FreeBSD.ORG Thu Oct 12 17:50:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A824E16A4EF for ; Thu, 12 Oct 2006 17:50:45 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA22243DFF for ; Thu, 12 Oct 2006 17:49:52 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so1218972nfc for ; Thu, 12 Oct 2006 10:49:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=EW6hcbUaxJt0n4oOG58iIuBm4K7uixhh5YL96i/ti8FQEVDXM1YYXC7XVdfQ6MMXPSuC+xu7IuY+O3l5Hgfn0CSlk1Suym2frF79RSvcABCtj8OZ1N1hfYxnGlb2vo06HRoJYrQSbYC90KgCfIQR4p5lQrwYkmsAWr3wuf+JnO8= Received: by 10.49.55.13 with SMTP id h13mr5471730nfk; Thu, 12 Oct 2006 10:49:51 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Thu, 12 Oct 2006 10:49:51 -0700 (PDT) Message-ID: Date: Thu, 12 Oct 2006 18:49:51 +0100 From: "Spiros Papadopoulos" To: "Garrett Cooper" , keramida@ceid.upatras.gr, sales@webignite.net In-Reply-To: <452E5EC9.5010206@u.washington.edu> MIME-Version: 1.0 References: <000101c6edb0$30dacaf0$0400a8c0@maf> <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> <452E5EC9.5010206@u.washington.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 17:50:45 -0000 Hi again, On 12/10/06, Garrett Cooper wrote: >Based on all the docs I've read about using ipfw, you should put >"ipfw allow all any from any via lo0" somewhere at the top of your >script so all traffic can and will be sent via lo0. I think you are talking about the line below, is this right? /sbin/ipfw -q add 50 allow all from any to any via lo0 It is there.. this is the first line to be met by packets in my /etc/ifpw.rules script it is also one of the default rules coming in /etc/rc.firewall script ...where i copied it from. On 12/10/06, *Chris - WEBignite* wrote: >I've actually just started seeing this same error. I do have a rule set for >local 127.0.0.1 and an allow for layer2 traffic. >Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied >I get this error when updating my firewall rules via ssh. Any current ssh >connections are dropped, but I'm able to reinitiate a new connection without >trouble. Could you please let me know what FreeBSD version you are using? On 12/10/06, *Giorgos Keramidas* wrote: >Yes. See above. The `ipfw -d show' command shown there was >after I looped using SSH from my workstation to another system >and back again. >> Sorry i will not be able to reply again tonight >No problem. Take your time. There is definitely a logical >explanation why this is happening, even if that explanation is >`there is a bug in ipfw and 5.4' :) I turned on the laptop and now everything is working again, as i initially described (I don't have a clue of what happened yesterday) I can ssh the machine as a normal user but cannot su to root. When trying, (from a win machine) with putty it freezes immediately after i enter the root password and the message below is produced on the freebsd box Oct 12 17:58:52 user sshd[838]: fatal: Write failed: Permission denied It is sshd that produces the above, but still i cannot identify what is it trying to do and why permission is denied. I have the option PermitRootLogins=No in my /etc/ssh/sshd_config file, but it was working properly before I enable ipfw Do you think it is a good idea to take ipfw out of the kernel and try enabling it from /etc/rc.conf? Anyway i think i should wait a little more before i proceed with this Do you think that this is a bug? Thanks in advance Spiros