From owner-freebsd-questions@FreeBSD.ORG Tue Jul 1 19:53:18 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A801937B401 for ; Tue, 1 Jul 2003 19:53:18 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DB5643FE1 for ; Tue, 1 Jul 2003 19:53:17 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.9/8.12.9) with ESMTP id h622rGB5006012 for ; Tue, 1 Jul 2003 21:53:16 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [[UNIX: localhost]]) by grumpy.dyndns.org (8.12.9/8.12.9/Submit) id h622rGap006011 for FreeBSD-Questions@FreeBSD.org; Tue, 1 Jul 2003 21:53:16 -0500 (CDT) From: David Kelly To: FreeBSD-Questions@FreeBSD.org Date: Tue, 1 Jul 2003 21:53:16 -0500 User-Agent: KMail/1.5.2 References: <20030701194934.J6454-100000@floyd.gnulife.org> In-Reply-To: <20030701194934.J6454-100000@floyd.gnulife.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307012153.16046.dkelly@HiWAAY.net> Subject: Re: setting up ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2003 02:53:19 -0000 On Tuesday 01 July 2003 08:01 pm, Jamie wrote: > I am having a very difficult time setting up ipfw on a 4.8 > installation. Was wondering if anyone might be able to shed some > light on this. [...] > I want to ssh in from another machine: foo.bar.com with IP address > 200.88.34.12. > > > > This is the rule I am adding: > > > ipfw add allow tcp from 200.88.34.12 to power.bar.com 22 > > > It tells me it can't resolve power.bar.com! Well, *when* is the above rule added? Is DNS up and working then? You know you can't make DNS queries until after the ipfw rules allowing DNS have been applied? If your machine is power.bar.com and if you have more than one interface you don't care if 200.88.34.12 could connect on any interface then the following is a better rule where 1234 is some position in your ruleset: ipfw add 1234 allow tcp from 200.88.34.12 to me 22 setup For "setup" to work you need an rule (usually early to minimize processing overhead) like this: ipfw add 400 allow tcp from any to any established > So, I try: > > ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22 > > It accepts the rule, but I still cannot connect from foo.bar.com. > > Anyone have any ideas? Plenty. Can you ssh from anywhere else to your machine? Can you ssh from that machine to itself? In other words, "Is sshd running?" You didn't list an ipfw rule number in your above example. So where is it inserting in the ruleset? Very likely its after a "deny" rule which otherwise blocked the connection. Believe ipfw inserts unnumbered rules 100 beyond the last rule entered, so the above probably landed after any deny rule. The first rule to hit ends ipfw processing of the packet (except for divert). For quick ipfw debugging, "ipfw zero" to clear the hit counts. Try the failed ssh attempt, then "ipfw -a list" and see which rules got hits. If you suspect a deny rule is blocking the connection then insert a new copy of that deny rule just prior and with the "log" modifier. Repeat. And look at /var/log/security for additional details. And speaking to posterity and the list, you already know that you can simply type the rule at the keyboard, don't have to modify your firewall script file until you want the change made permanent, don't have to reboot. Stylistically I'd recommend your rule(s) include the "setup" modifier, and earlier you have a "pass all established" rule. This is the way its done in the /etc/rc.firewall example. With "setup" and "log" you get only one hit in /var/log/security when the connection is made. Without setup you get an entry for each and every packet until your VERBOSE limit is hit (I think, as I don't use the verbose limiter). -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system.