Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Oct 2006 10:15:18 +0100
From:      "Spiros Papadopoulos" <spap13@googlemail.com>
To:        "Chris - WEBignite" <sales@webignite.net>
Cc:        freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: Problems with ipfw and ssh
Message-ID:  <dab71e150610120215s46bec793q4e6edd00b4a55455@mail.gmail.com>
In-Reply-To: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop>
References:  <000101c6edb0$30dacaf0$0400a8c0@maf> <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 12/10/06, Chris - WEBignite <sales@webignite.net> wrote:
>
> I've actually just started seeing this same error. I do have a rule set
> for
> local 127.0.0.1 and an allow for layer2 traffic.
>
> Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission
> denied


Yes this is the same exactly message i got.

I get this error when updating my firewall rules via ssh. Any current ssh
> connections are dropped, but I'm able to reinitiate a new connection
> without
> trouble.
>
> -Chris


The only difference is that i could not su to root so i could not update any
rules remotely.
I could login to a normal user account properly though

-----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org
> ]
> On Behalf Of Mark Jose
> Sent: Wednesday, October 11, 2006 8:41 PM
> To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org;
> freebsd-ipfw@freebsd.org
> Subject: RE: Problems with ipfw and ssh
>
> Hi,
>
> Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined
> to allow all traffic?


Well actually i copied the following rules from /etc/rc.firewall plus the
comment (..because of the comment!) without thinking of it too much and i
consider them trusty and i never thought they could cause any problem.
Are you suggesting that these rules may be the reason for this?

# Only in rare cases do you want to change these rules
       ${addcmd} 50 allow all from any to any via lo0
       ${addcmd} 100 deny all from any to 127.0.0.0/8
       ${addcmd} 150 deny ip from 127.0.0.0/8 to any

Unfortunately i will not be on the machine for the next 7 or so hrs


> Cheers
>
>
> -----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org [mailto:
> owner-freebsd-ipfw@freebsd.org]
> On Behalf Of Spiros Papadopoulos
> Sent: Thursday, 12 October 2006 7:53 AM
> To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org
> Subject: Problems with ipfw and ssh
>
> Hi,
>
> I am trying to configure a firewall using ipfw for a machine running
> FreeBSD
> 5.4.
> Without NAT.
>
> I am nearly a newbie on this (since i never had time until now..) but
> still
> i believe i understand exactly the
> concepts and what needs to be done.
> Except the manual page and chapter 26.1 in the handbook I am using good
> references such as:
> http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
>
> I need to connect remotely to the machine using ssh and this is where i
> get
> the problem:
>
> Initially i can connect properly using a normal user account.
> When later i am trying to su to root it does nothing and the connection
> closes.
>
> I have ipfw enabled in the kernel to deny everything by default.
> I have used both (one at a time) the following rules concerning ssh, in
> /etc/ipfw.rules
> and also other combinations, such as taking off setup and keep-state etc
> etc
> which would then make my firewall stateless as far as i understood, which
> is
> something i don't want anyway.
>
> ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> -
> ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
>
> In a first investigation (not thorough) i found this post:
> http://www.freebsdforums.org/forums/showthread.php?t=21876
> where from, i cannot realize what is wrong or how to fix this.
>
> I run the sshd in debug mode and below is the portion, for when i am
> trying
> to su to root
>
> /* sshd -d */
> Write failed: Permission denied
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: session_pty_cleanup: session 0 release /dev/ttyp7
>
> And here are related logs:
>
> /* line from /var/log/messages */
> Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission
> denied
>
> /* /var/log/auth.log */
> Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port
> 1545
> Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam
> for
> user from xxx.xxx.xxx.xx port 1545 ssh2
> Sep 26 10:17:49 username su: user to root on /dev/ttyp4
> Sep 26 11:17:51 username sshd[50068]: Read error from remote host
> xxx.xxx.xxx.xx: Connection reset by peer
> Sep 26 13:29:40 username sshd[50076]: Read error from remote host
> xxx.xxx.xxx.xx: Operation timed out
>
> Is it trying to write to a
> socket? I cannot see what is trying to do and the permission is denied
> (of course maybe it is in front of me..but..)
> Could anyone please advice?
>
> Thanks in advance
> Spiros
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to " freebsd-ipfw-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>



-- 
Spiros Papadopoulos



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?dab71e150610120215s46bec793q4e6edd00b4a55455>