Date: Sat, 11 Aug 2001 06:18:11 +0000 From: "George Genovezos" <ggenovez@hotmail.com> To: dkelly@hiwaay.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw & firewall. Message-ID: <F98xOjmfCHJr1Wtyi670000671f@hotmail.com>
next in thread | raw e-mail | index | archive | help
Ok here is the latest & greatest out put
ipfw -at l
00100 4 160 Fri Aug 10 23:11:40 2001 allow ip from any to any via fxp0
00200 0 0 allow tcp from any to any out xmit
fxp0
setup
00400 0 0 allow tcp from any 22 to any out
setup
00500 1 44 Fri Aug 10 23:10:46 2001 allow tcp from any to any 22 in
setup
00600 27 2242 Fri Aug 10 23:10:46 2001 allow ip from any to any via lo0
65435 0 0 deny log logamount 100 ip from any
to any
65535 155 7708 Fri Aug 10 23:03:53 2001 deny ip from any to any
now when I ssh to my box I get:
ssh -v localhost
SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions
1.5/2.0.Compiled with SSL (0x0090600f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to localhost [::1] port 22.
debug: Allocated local port 863.
debug: connect: Connection refused
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Allocated local port 862.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0
green@FreeBSD.org 20010321
debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3
debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Forcing accepting of host key for loopback/localhost.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
Permission denied.
debug: Calling cleanup 0x805c528(0x0)
Any hints? clues? Ideas?
Firewall issue or ssh?
DNS apears to be working without any entries. Anything I need to be
concerned about?
By the way Gary I got your messages and responded back to you I don't know
if you got my message.
Thx Everybuddy.
G
>From: David Kelly <dkelly@hiwaay.net>
>To: "George Genovezos" <ggenovez@hotmail.com>
>CC: freebsd-questions@FreeBSD.ORG
>Subject: Re: ipfw & firewall.
>Date: Fri, 10 Aug 2001 22:04:43 -0500
>
>"George Genovezos" writes:
> >
> > Hey all,
> >
> > I just installed ipfw and the only thing I want to go in & out is ssh.
>So
> > this is the only line I have in my rules
> >
> > allow tcp from any to any ssh setup
>
>Is not enough, as you have found out. You let the setup thru but didn't
>let any of the data packets thru. Am assuming ipfw is in the "default
>deny all" mode? Should find something like this in dmesg:
>
>IP packet filtering initialized, divert disabled, rule-based forwarding
>disabled, default to deny, unlimited logging
>
>Without actually trying it, I suggest you start with something like
>this. You want the localhost device to work. And I'm guessing you'd like
>DNS to work as well. Correct the DNS address/net. Use static address or
>subnet or whatever. Another good idea would be to limit ssh connections
>to known IP addresses.
>
>#!/bin/sh
>nic="fxp0"
>dns="1.2.3.4/24"
>ipfw -f flush
>ipfw allow ip from any to any via lo0
>ipfw deny log ip from any to 127.0.0.0/8
>ipfw deny log ip from 192.168.0.0/16 to any in recv ${nic}
>ipfw allow tcp from any to any established
>ipfw allow udp from ${dns} 53 to any in recv ${nic}
>ipfw allow udp from any to ${dns} 53 out xmit ${nic}
>ipfw allow log tcp from any to me ssh setup
>ipfw deny log ip from any to any
>
>Logged items can be found in /var/log/security. I find it nice to log
>the ssh setups as a way to know from where my ssh connections are
>coming from.
>
>--
>David Kelly N4HHE, dkelly@hiwaay.net
>=====================================================================
>The human mind ordinarily operates at only ten percent of its
>capacity -- the rest is overhead for the operating system.
>
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F98xOjmfCHJr1Wtyi670000671f>