Date: Sat, 11 Aug 2001 06:18:11 +0000 From: "George Genovezos" <ggenovez@hotmail.com> To: dkelly@hiwaay.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw & firewall. Message-ID: <F98xOjmfCHJr1Wtyi670000671f@hotmail.com>
next in thread | raw e-mail | index | archive | help
Ok here is the latest & greatest out put ipfw -at l 00100 4 160 Fri Aug 10 23:11:40 2001 allow ip from any to any via fxp0 00200 0 0 allow tcp from any to any out xmit fxp0 setup 00400 0 0 allow tcp from any 22 to any out setup 00500 1 44 Fri Aug 10 23:10:46 2001 allow tcp from any to any 22 in setup 00600 27 2242 Fri Aug 10 23:10:46 2001 allow ip from any to any via lo0 65435 0 0 deny log logamount 100 ip from any to any 65535 155 7708 Fri Aug 10 23:03:53 2001 deny ip from any to any now when I ssh to my box I get: ssh -v localhost SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to localhost [::1] port 22. debug: Allocated local port 863. debug: connect: Connection refused debug: Connecting to localhost [127.0.0.1] port 22. debug: Allocated local port 862. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Forcing accepting of host key for loopback/localhost. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. Permission denied. debug: Calling cleanup 0x805c528(0x0) Any hints? clues? Ideas? Firewall issue or ssh? DNS apears to be working without any entries. Anything I need to be concerned about? By the way Gary I got your messages and responded back to you I don't know if you got my message. Thx Everybuddy. G >From: David Kelly <dkelly@hiwaay.net> >To: "George Genovezos" <ggenovez@hotmail.com> >CC: freebsd-questions@FreeBSD.ORG >Subject: Re: ipfw & firewall. >Date: Fri, 10 Aug 2001 22:04:43 -0500 > >"George Genovezos" writes: > > > > Hey all, > > > > I just installed ipfw and the only thing I want to go in & out is ssh. >So > > this is the only line I have in my rules > > > > allow tcp from any to any ssh setup > >Is not enough, as you have found out. You let the setup thru but didn't >let any of the data packets thru. Am assuming ipfw is in the "default >deny all" mode? Should find something like this in dmesg: > >IP packet filtering initialized, divert disabled, rule-based forwarding >disabled, default to deny, unlimited logging > >Without actually trying it, I suggest you start with something like >this. You want the localhost device to work. And I'm guessing you'd like >DNS to work as well. Correct the DNS address/net. Use static address or >subnet or whatever. Another good idea would be to limit ssh connections >to known IP addresses. > >#!/bin/sh >nic="fxp0" >dns="1.2.3.4/24" >ipfw -f flush >ipfw allow ip from any to any via lo0 >ipfw deny log ip from any to 127.0.0.0/8 >ipfw deny log ip from 192.168.0.0/16 to any in recv ${nic} >ipfw allow tcp from any to any established >ipfw allow udp from ${dns} 53 to any in recv ${nic} >ipfw allow udp from any to ${dns} 53 out xmit ${nic} >ipfw allow log tcp from any to me ssh setup >ipfw deny log ip from any to any > >Logged items can be found in /var/log/security. I find it nice to log >the ssh setups as a way to know from where my ssh connections are >coming from. > >-- >David Kelly N4HHE, dkelly@hiwaay.net >===================================================================== >The human mind ordinarily operates at only ten percent of its >capacity -- the rest is overhead for the operating system. > > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F98xOjmfCHJr1Wtyi670000671f>