Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Apr 2001 17:34:48 +0100
From:      Mark Drayton <mark.drayton@4thwave.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   ssh and firewall problem
Message-ID:  <20010418173448.A8646@tethys.valhalla.net>
next in thread | raw e-mail | index | archive | help 
Hi

I'm just setting up a FreeBSD machine as a cable modem router and
firewall for a friend. The firewall should be closed apart from ssh
access. I've got the following rules (I took out the RFC 1918 rules when
testing):

dc0: outside - 213.105.xx.xx
fxp0: inside - 192.168.0.254

The modem is accessible through 192.168.100.1, hence the allow rules.

00100 divert 8668 ip from any to any via dc0
00150 allow icmp from any to any
00200 allow ip from any to any out xmit dc0
00300 allow tcp from 192.168.100.1 to any in recv dc0
00300 allow tcp from any to 192.168.100.1 out xmit dc0
00400 allow ip from any to any via lo0
00400 deny ip from any to 127.0.0.0/8
00400 deny ip from 127.0.0.0/8 to any
00600 allow tcp from any to any established
00700 allow ip from any to any frag
00900 allow tcp from any to 213.105.xx.xx 22 setup
00900 allow tcp from any to 213.105.xx.xx 79 setup
01000 deny log logamount 100 tcp from any to any in recv dc0 setup
01100 allow tcp from any to any setup
01200 allow udp from 213.105.xx.xx to any 53 keep-state
65535 deny ip from any to any

I can't ssh into the machine at all when the firewall is up. I'm getting
these messages in the logs:

Apr 18 16:54:23 keema sshd[18529]: fatal: Write failed: Permission
denied

and sometimes:

Apr 18 16:54:23 keema natd[259]: failed to write packet back (Permission
denied)

The top error happens regardless of the divert rule, and the bottom one
only with the divert rule. I've tried running an sshd on a high port
(22222) but I can't get a prompt there either. I'm getting no ipfw
connection denied entries, just these permission denied messages.

I also enabled finger, which works fine. I'm assuming this is because an
entire finger session is conducted with only one or two packets, whereas
ssh has quite a complex setup which is somehow being broken by my
firewall.

With the firewall off ('open' in rc.conf) I can ssh in fine so it's not
a problem with the cable modem company blocking access.

Thanks,

-- 

Mark Drayton

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418173448.A8646>