From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 12 09:15:41 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAAF816A403 for ; Thu, 12 Oct 2006 09:15:41 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8335C43D60 for ; Thu, 12 Oct 2006 09:15:24 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so1063655nfc for ; Thu, 12 Oct 2006 02:15:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=FvD6p4WZxg2ItUJimLL/onhCKL0PsoSPAzvYjsIt+MXKkLHyi7enwLxFzFOA8G4kg4BdmgF+1HMAyP9jXTzTIEl14DWmb+P904rsbydg+lSR8xH8vsXjUvSOBdtRiEiYPMDxvCfteMcQm8/coD4vlzPuhVA1x120nA1Yv9kXdc4= Received: by 10.48.254.10 with SMTP id b10mr4702314nfi; Thu, 12 Oct 2006 02:15:22 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Thu, 12 Oct 2006 02:15:18 -0700 (PDT) Message-ID: Date: Thu, 12 Oct 2006 10:15:18 +0100 From: "Spiros Papadopoulos" To: "Chris - WEBignite" In-Reply-To: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> MIME-Version: 1.0 References: <000101c6edb0$30dacaf0$0400a8c0@maf> <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 09:15:41 -0000 On 12/10/06, Chris - WEBignite wrote: > > I've actually just started seeing this same error. I do have a rule set > for > local 127.0.0.1 and an allow for layer2 traffic. > > Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission > denied Yes this is the same exactly message i got. I get this error when updating my firewall rules via ssh. Any current ssh > connections are dropped, but I'm able to reinitiate a new connection > without > trouble. > > -Chris The only difference is that i could not su to root so i could not update any rules remotely. I could login to a normal user account properly though -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org > ] > On Behalf Of Mark Jose > Sent: Wednesday, October 11, 2006 8:41 PM > To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; > freebsd-ipfw@freebsd.org > Subject: RE: Problems with ipfw and ssh > > Hi, > > Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined > to allow all traffic? Well actually i copied the following rules from /etc/rc.firewall plus the comment (..because of the comment!) without thinking of it too much and i consider them trusty and i never thought they could cause any problem. Are you suggesting that these rules may be the reason for this? # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any Unfortunately i will not be on the machine for the next 7 or so hrs > Cheers > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto: > owner-freebsd-ipfw@freebsd.org] > On Behalf Of Spiros Papadopoulos > Sent: Thursday, 12 October 2006 7:53 AM > To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org > Subject: Problems with ipfw and ssh > > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD > 5.4. > Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still > i believe i understand exactly the > concepts and what needs to be done. > Except the manual page and chapter 26.1 in the handbook I am using good > references such as: > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where i > get > the problem: > > Initially i can connect properly using a normal user account. > When later i am trying to su to root it does nothing and the connection > closes. > > I have ipfw enabled in the kernel to deny everything by default. > I have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules > and also other combinations, such as taking off setup and keep-state etc > etc > which would then make my firewall stateless as far as i understood, which > is > something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. > > I run the sshd in debug mode and below is the portion, for when i am > trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > And here are related logs: > > /* line from /var/log/messages */ > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission > denied > > /* /var/log/auth.log */ > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port > 1545 > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam > for > user from xxx.xxx.xxx.xx port 1545 ssh2 > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > xxx.xxx.xxx.xx: Connection reset by peer > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > xxx.xxx.xxx.xx: Operation timed out > > Is it trying to write to a > socket? I cannot see what is trying to do and the permission is denied > (of course maybe it is in front of me..but..) > Could anyone please advice? > > Thanks in advance > Spiros > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to " freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > -- Spiros Papadopoulos