Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Oct 2006 13:40:40 +1000
From:      "Mark Jose" <mwjose@optusnet.com.au>
To:        "'Spiros Papadopoulos'" <spap13@googlemail.com>, <freebsd-questions@freebsd.org>, <freebsd-ipfw@freebsd.org>
Subject:   RE: Problems with ipfw and ssh
Message-ID:  <000101c6edb0$30dacaf0$0400a8c0@maf>
In-Reply-To: <dab71e150610111453m39c6bdb8ia846b3c4b39c4e08@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi,

Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined
to allow all traffic?

Cheers
  

-----Original Message-----
From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]
On Behalf Of Spiros Papadopoulos
Sent: Thursday, 12 October 2006 7:53 AM
To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org
Subject: Problems with ipfw and ssh

Hi,

I am trying to configure a firewall using ipfw for a machine running FreeBSD
5.4.
Without NAT.

I am nearly a newbie on this (since i never had time until now..) but still
i believe i understand exactly the
concepts and what needs to be done.
Except the manual page and chapter 26.1 in the handbook I am using good
references such as:
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO

I need to connect remotely to the machine using ssh and this is where i get
the problem:

Initially i can connect properly using a normal user account.
When later i am trying to su to root it does nothing and the connection
closes.

I have ipfw enabled in the kernel to deny everything by default.
I have used both (one at a time) the following rules concerning ssh, in
/etc/ipfw.rules
and also other combinations, such as taking off setup and keep-state etc etc
which would then make my firewall stateless as far as i understood, which is
something i don't want anyway.

${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
-
${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state

In a first investigation (not thorough) i found this post:
http://www.freebsdforums.org/forums/showthread.php?t=21876
where from, i cannot realize what is wrong or how to fix this.

I run the sshd in debug mode and below is the portion, for when i am trying
to su to root

/* sshd -d */
Write failed: Permission denied
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: session_pty_cleanup: session 0 release /dev/ttyp7

And here are related logs:

/* line from /var/log/messages */
Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied

/* /var/log/auth.log */
Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port
1545
Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for
user from xxx.xxx.xxx.xx port 1545 ssh2
Sep 26 10:17:49 username su: user to root on /dev/ttyp4
Sep 26 11:17:51 username sshd[50068]: Read error from remote host
xxx.xxx.xxx.xx: Connection reset by peer
Sep 26 13:29:40 username sshd[50076]: Read error from remote host
xxx.xxx.xxx.xx: Operation timed out

Is it trying to write to a
socket? I cannot see what is trying to do and the permission is denied
(of course maybe it is in front of me..but..)
Could anyone please advice?

Thanks in advance
Spiros
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000101c6edb0$30dacaf0$0400a8c0>