From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 8 08:20:49 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 087B516A407 for ; Sun, 8 Oct 2006 08:20:49 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4507943D4C for ; Sun, 8 Oct 2006 08:20:48 +0000 (GMT) (envelope-from dudu.meyer@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so452689uge for ; Sun, 08 Oct 2006 01:20:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FbMdLB4G+HX59Xvxv89MHAJiM6d41rSP2ykrEj6/YdX+0kwxWNbjpB2oXvzQGoitadoFB8+okEwdMDwwM2ziAkDZTgLvUHmGjtjM+fYjocBqTWghXEAfcbbdQ1Je9h/J/lVOoZwGPw+gHnSSsCq5tbW3h2lfVCciOWxOVech1pY= Received: by 10.67.89.5 with SMTP id r5mr5377572ugl; Sun, 08 Oct 2006 01:20:44 -0700 (PDT) Received: by 10.66.248.4 with HTTP; Sun, 8 Oct 2006 01:20:44 -0700 (PDT) Message-ID: Date: Sun, 8 Oct 2006 05:20:44 -0300 From: "Eduardo Meyer" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw tag and ng_tag X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Oct 2006 08:20:49 -0000 Hello, Finally with -BETA2 I can try ng_tag and ipfw tag. I have a certain unusual need to filter DNS queries which return NXDomain. Before filtering, I will make some cacti graphs. So I need to count packets with "NXDomain" expression on Layer 7. With tcpdump -X I can see that NXDomain alwas shows up perfectly, so this is the kind of L7 pattern which will be safe to filter. With hexdump(1) I found out the hex sequence for NXDomain expression to be: 4e 58 44 6f 6d 61 69 6e 0a I have the needed kernel modules loaded. What should I do next? I know I am supposed to create a ng_bpf pattern, similar to PATTERN="(ether[40:4]=0x134e5844 && ether[44:4]=0x6f6d6169 && ether[48:4]=0x6e0a)" I did it, and execute it in the following script: PATTERN="(ether[40:4]=0x134e5844 && ether[44:4]=0x6f6d6169 && ether[48:4]=0x6e0a)" NODEPATH="my_node:" INHOOK="hook1" MATCHHOOK="hook2" NOTMATCHHOOK="hook3" cat > /tmp/bpf.awk << xxENDxx { if (!init) { printf "bpf_prog_len=%d bpf_prog=[", \$1; init=1; } else { printf " { code=%d jt=%d jf=%d k=%d }", \$1, \$2, \$3, \$4; } } END { print " ]" } xxENDxx BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk` ngctl msg ${NODEPATH} setprogram { thisHook=\"${INHOOK}\" \ ifMatch=\"${MATCHHOOK}\" \ ifNotMatch=\"${NOTMATCHHOOK}\" \ ${BPFPROG} } } BUT, Here I get my first problem. Script returns: ngctl: send msg: No such file or directory I printed the full commands that returns the error, it is: ngctl msg setprogram { thisHook="" ifMatch="" ifNotMatch="" bpf_prog_len=8 bpf_prog=[ { code=32 jt=0 jf=0 k=40 } { code=21 jt=0 jf=5 k=323901508 } { code=32 jt=0 jf=0 k=44 } { code=21 jt=0 jf=3 k=1869439337 } { code=32 jt=0 jf=0 k=48 } { code=21 jt=0 jf=1 k=28170 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } } Running tcpdump -s 8192 -ddd $PATTERN manually I get: 8 32 0 0 40 21 0 5 323901508 32 0 0 44 21 0 3 1869439337 32 0 0 48 21 0 1 28170 6 0 0 8192 6 0 0 0 Which looks that the ngctl data (code, kt, jf and k) are correct. But the command returns that error for some reason. The script was taken from ng_blf(4) man page. I am all new to this netgraph thing, and I couldnt even get to the ng_tag phase (stopped in ng_bpf). I would like to have your help to work it out, please. Thank you. From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 8 08:32:23 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4250816A403 for ; Sun, 8 Oct 2006 08:32:23 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 234BF43D46 for ; Sun, 8 Oct 2006 08:32:21 +0000 (GMT) (envelope-from dudu.meyer@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so453022uge for ; Sun, 08 Oct 2006 01:32:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=RFwIDhI/r1bgV4nEs5rP3B4kGI36s4ACYwaJRCrsbLWDeMDnnO3a+5G68wc86IEpu3yiakTSvjAF4Xl11b67IxRt8AY8j826xgkATABM5hKuCCe8UQcX0DWqHTaIw7LvPN/JTQm+Axn8ox8iZchlO8b7uCodqIqKZGk3Jy1Z23M= Received: by 10.67.24.13 with SMTP id b13mr5394497ugj; Sun, 08 Oct 2006 01:32:21 -0700 (PDT) Received: by 10.66.248.4 with HTTP; Sun, 8 Oct 2006 01:32:20 -0700 (PDT) Message-ID: Date: Sun, 8 Oct 2006 05:32:20 -0300 From: "Eduardo Meyer" To: freebsd-ipfw@freebsd.org, melifaro@su29.net MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Oct 2006 08:32:23 -0000 Mr Chernikov, could you please post the full content of your "bpf.script" file? ------------ On Mon Jun 12 21:45:48 UTC 2006 Alexander V. Chernikov wrote: Hi, I have recent 7.0-current and this node seems to work for me. Node code compiles and loads into kernel without any problems. After some time experimenting with ng_bpf(4) i was able to tag packets matched by bpf filter. Of course, the following is not a real-world example, but it confirms module is working. Great job! [root at ws /home/melifaro/ng]# make @ -> /usr/src/sys machine -> /usr/src/sys/i386/include touch opt_netgraph.h cc -O2 -fno-strict-aliasing -pipe -g -Werror -D_KERNEL -DKLD_MODULE -nostdinc -I- -I/usr/home/melifaro/ng -I. -I@ -I@/contrib/altq -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-common -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -fformat-extensions -std=c99 -c ng_tag.c ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o touch export_syms awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J% objcopy % ng_tag.kld ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld objcopy --strip-debug ng_tag.ko [root at ws /home/melifaro/ng]# make load /sbin/kldload -v /usr/home/melifaro/ng/ng_tag.ko Loaded /usr/home/melifaro/ng/ng_tag.ko, id=14 [root at ws /usr/home/melifaro/ng]# sysctl -w net.inet.ip.fw.one_pass=0 net.inet.ip.fw.one_pass: 1 -> 0 [root at ws /home/melifaro/ng]# ngctl mkpeer ipfw: bpf 41 ipfw [root at ws /home/melifaro/ng]# ngctl name ipfw:41 dcbpf [root at ws /home/melifaro/ng]# ngctl mkpeer dcbpf: tag matched th1 [root at ws /home/melifaro/ng]# ngctl name dcbpf:matched ngdc root at ws /usr/home/melifaro/ng]# [root at ws /home/melifaro/ng]# ngctl msg ngdc: sethookin { thisHook=\"th1\" ifNotMatch=\"th1\" } [root at ws /home/melifaro/ng]# ngctl msg ngdc: sethookout { thisHook=\"th1\" tag_cookie=1148380143 tag_id=412 } root at ws /usr/home/melifaro/ng]# [root at ws /home/melifaro/ng]# ngctl msg dcbpf: setprogram '{ thisHook="matched" ifMatch="ipfw" bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] }' root at ws /usr/home/melifaro/ng]# ; Matching part now, generated by script from ng_bpf(4) man page ; We are trying to tag all packets with dst port = 8888 ; link layer is cut, so offset is 20 + 2 [root at ws /usr/home/melifaro/ng]# head -n 5 bpf.script PATTERN="ether[22:2]=8888" NODEPATH="dcbpf:" INHOOK="ipfw" MATCHHOOK="matched" NOTMATCHHOOK="ipfw" root at ws /usr/home/melifaro/ng]# ./bpf.script root at ws /usr/home/melifaro/ng]# [root at ws /usr/home/melifaro/ng]# ipfw add 100 netgraph 41 tcp from me to 1.2.3.4 8888 00100 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888 [root at ws /usr/home/melifaro/ng]# ipfw add 110 reset tcp from any to any tagged 412 00110 reset tcp from any to any tagged 412 [root at ws /usr/home/melifaro/ng]# [root at ws /usr/home/melifaro/ng]# telnet 1.2.3.4 8888 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host [root at ws /usr/home/melifaro/ng]# ipfw show 100-110 00100 1 64 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888 00110 1 64 reset tcp from any to any tagged 412 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 9 10:16:23 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7C0F16A407; Mon, 9 Oct 2006 10:16:23 +0000 (UTC) (envelope-from flz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92FAA43D49; Mon, 9 Oct 2006 10:16:23 +0000 (GMT) (envelope-from flz@FreeBSD.org) Received: from freefall.freebsd.org (flz@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k99AGNSK065318; Mon, 9 Oct 2006 10:16:23 GMT (envelope-from flz@freefall.freebsd.org) Received: (from flz@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k99AGNYI065314; Mon, 9 Oct 2006 10:16:23 GMT (envelope-from flz) Date: Mon, 9 Oct 2006 10:16:23 GMT From: Florent Thoumie Message-Id: <200610091016.k99AGNYI065314@freefall.freebsd.org> To: joao@matik.com.br, flz@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/93422: ipfw divert rule no longer works in 6.0 (regression) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2006 10:16:23 -0000 Synopsis: ipfw divert rule no longer works in 6.0 (regression) State-Changed-From-To: open->closed State-Changed-By: flz State-Changed-When: Mon Oct 9 10:15:30 UTC 2006 State-Changed-Why: Semantics changed from RELENG_5 to RELENG_6 as pointed out by ume. Spotted by: astrodog on #freebsd-bugbusters http://www.freebsd.org/cgi/query-pr.cgi?pr=93422 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 9 11:09:20 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5778F16A4A7 for ; Mon, 9 Oct 2006 11:09:20 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0BEE43DB9 for ; Mon, 9 Oct 2006 11:08:48 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k99B8U1r071555 for ; Mon, 9 Oct 2006 11:08:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k99B8TEg071551 for freebsd-ipfw@FreeBSD.org; Mon, 9 Oct 2006 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Oct 2006 11:08:29 GMT Message-Id: <200610091108.k99B8TEg071551@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2006 11:09:20 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent f kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from any to any ic o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device p bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bogus o kern/103328 ipfw sugestions about ipfw table 18 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 9 12:24:06 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23E8116A4B3 for ; Mon, 9 Oct 2006 12:24:06 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B842B43D49 for ; Mon, 9 Oct 2006 12:23:51 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from atlantis.dp.ua (localhost [127.0.0.1]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k99CNh3x055131; Mon, 9 Oct 2006 15:23:46 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.13.1/8.13.1/Submit) with ESMTP id k99CNhCi055127; Mon, 9 Oct 2006 15:23:43 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Mon, 9 Oct 2006 15:23:43 +0300 (EEST) From: Dmitry Pryanishnikov To: "Andrey V. Elsukov" In-Reply-To: <45264233.3050406@yandex.ru> Message-ID: <20061009150437.X6632@atlantis.atlantis.dp.ua> References: <200610060938.k969cCiO020772@Maggie.Linux-Consulting.com> <45264233.3050406@yandex.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Queue size maximum too low [Was: ipfw versions - /usr/src/sbin] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2006 12:24:06 -0000 Hello! On Fri, 6 Oct 2006, Andrey V. Elsukov wrote: >> the 100 need to be changed to 10,000 to allow for a bigger queue according >> to the customer that wants to use ipfw + dummynet for >> testing gigE thruput > > I think this is not good idea. This limit will be checked later in > kernel, and if you'll set qsize value greater that 100 - kernel will > correct this to 50. (if i correctly understood a kernel sources..) Well, frankly, the following code (as in RELENG_6) annoys me a lot: src/sys/netinet/ip_dummynet.c: set_fs_parms(struct dn_flow_set *x, struct dn_flow_set *src) { x->flags_fs = src->flags_fs; x->qsize = src->qsize; x->plr = src->plr; x->flow_mask = src->flow_mask; if (x->flags_fs & DN_QSIZE_IS_BYTES) { if (x->qsize > 1024*1024) x->qsize = 1024*1024 ; } else { if (x->qsize == 0) x->qsize = 50 ; if (x->qsize > 100) x->qsize = 50 ; } So the absolute maximum for the pipe's queue size is either 1Mbyte or 100 packets. If one wants to provide fixed maximum _delay_ by the pipe (e.g., full pipe gives increasing delays up to, say, 5 sec, before dropping packets), [s]he should set pipe's queue size in bytes to bw * delay (bw is in bytes/sec), which gives that with this (artificial IMHO) 1Mbyte queue limit we can provide max. delay of 5 seconds for bw of 209715.2 bytes/sec (approx. 1.6Mbit/s), which is _way_ too low by today's standards. We've got _a lot_ kernel memory to burn on modern machines. So my question is: what (except this limit) prevents large queues (> 1 Mbytes) from functioning correctly? If I just remove this limit, will I hit some other limits in dummynet code (except overall KVA or UMA zone limit)? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 10 02:11:59 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F3BE16A415; Tue, 10 Oct 2006 02:11:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBB6043D4C; Tue, 10 Oct 2006 02:11:58 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9A2BwRO061099; Tue, 10 Oct 2006 02:11:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9A2BwvA061095; Tue, 10 Oct 2006 02:11:58 GMT (envelope-from linimon) Date: Tue, 10 Oct 2006 02:11:58 GMT From: Mark Linimon Message-Id: <200610100211.k9A2BwvA061095@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/103967: [ipfw] [patch] ipfw2 limit src-addr logging is not sufficient for debug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2006 02:11:59 -0000 Old Synopsis: ipfw2 limit src-addr logging is not sufficient for debug New Synopsis: [ipfw] [patch] ipfw2 limit src-addr logging is not sufficient for debug Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Oct 10 02:10:58 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=103967 From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 10 06:05:32 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B382316A403 for ; Tue, 10 Oct 2006 06:05:32 +0000 (UTC) (envelope-from rajeshbikram@wlink.com.np) Received: from smtp5.wlink.com.np (smtp5.wlink.com.np [202.79.32.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 6FABB43D49 for ; Tue, 10 Oct 2006 06:05:27 +0000 (GMT) (envelope-from rajeshbikram@wlink.com.np) Received: (qmail 30814 invoked from network); 10 Oct 2006 05:57:44 -0000 Received: from unknown (HELO smtp4.wlink.com.np) (202.79.32.87) by 0 with SMTP; 10 Oct 2006 05:57:44 -0000 Received: (qmail 92140 invoked by uid 1011); 10 Oct 2006 06:05:19 -0000 Received: from 202.79.36.112 by smtp4.wlink.com.np (envelope-from , uid 1010) with qmail-scanner-1.25 (clamdscan: 0.88.4/1879. Clear:RC:1(202.79.36.112):. Processed in 0.043868 secs); 10 Oct 2006 06:05:19 -0000 Received: from [202.79.36.112] (HELO [202.79.36.112]) by smtp4.wlink.com.np (qmail-smtpd) with SMTP; 10 Oct 2006 06:05:18 -0000 (Tue, 10 Oct 2006 11:50:18 +0545) From: Rajesh Organization: Wlink To: freebsd-ipfw@freebsd.org Date: Tue, 10 Oct 2006 11:43:16 +0545 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200610101143.16713.rajeshbikram@wlink.com.np> X-Spam-Check-By: smtp4.wlink.com.np Spam: No ; -0.7 / 5.0 X-Spam-Status-WL: No, hits=-0.7 required=5.0 Subject: BRIDGE + IPFW : Unknown hardware address format 0x002 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2006 06:05:32 -0000 I some how make ipfw rule to set the tos bit for QOS. It is working fine except in bridging mode. When i set the rule, kernel generate the error kernel: arp:Unknown hardware address format (0x002). All the traffice get blocked. when i remove the rule then it is working fine. This error is generated from the file if_ether.c. I think this is checksum problem.But i am not getting what is happening. with regards Rajesh From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 11 12:00:38 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7109E16A5AD for ; Wed, 11 Oct 2006 12:00:38 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8662B43D8E for ; Wed, 11 Oct 2006 12:00:34 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9BC0Y3l054512 for ; Wed, 11 Oct 2006 12:00:34 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9BC0Ypc054508; Wed, 11 Oct 2006 12:00:34 GMT (envelope-from gnats) Date: Wed, 11 Oct 2006 12:00:34 GMT Message-Id: <200610111200.k9BC0Ypc054508@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/103967: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 12:00:38 -0000 The following reply was made to PR kern/103967; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/103967: commit references a PR Date: Wed, 11 Oct 2006 11:52:54 +0000 (UTC) maxim 2006-10-11 11:52:34 UTC FreeBSD src repository Modified files: sys/netinet ip_fw2.c Log: o Extend not very informative ipfw(4) message 'drop session, too many entries' by src:port and dst:port pairs. IPv6 part is non-functional as ``limit'' does not support IPv6 flows. PR: kern/103967 Submitted by: based on Bruce Campbell patch MFC after: 1 month Revision Changes Path 1.149 +32 -2 src/sys/netinet/ip_fw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 11 12:10:40 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BD6C16A407; Wed, 11 Oct 2006 12:10:40 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D0FE43D60; Wed, 11 Oct 2006 12:10:23 +0000 (GMT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9BCANHV055149; Wed, 11 Oct 2006 12:10:23 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9BCANab055138; Wed, 11 Oct 2006 12:10:23 GMT (envelope-from maxim) Date: Wed, 11 Oct 2006 12:10:23 GMT From: Maxim Konovalov Message-Id: <200610111210.k9BCANab055138@freefall.freebsd.org> To: barzog@telecom.by, maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/103967: [ipfw] [patch] ipfw2 limit src-addr logging is not sufficient for debug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 12:10:40 -0000 Synopsis: [ipfw] [patch] ipfw2 limit src-addr logging is not sufficient for debug State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Wed Oct 11 12:09:54 UTC 2006 State-Changed-Why: A similar patch was committed to HEAD. MFC in 1 month. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=103967 From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 11 21:54:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DEB616A4AB for ; Wed, 11 Oct 2006 21:54:00 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5930343D7C for ; Wed, 11 Oct 2006 21:53:31 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so865866nfc for ; Wed, 11 Oct 2006 14:53:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=qZjXCrSz8eJ0MOxhgOdO5m2jN21sjvxCBS9yAH2NTLt5vht9Mo5l2smyNU5Ji2KwkwBxZTxcCipYdyPFC+zyVHVRF318lYu4Pp1S5WftzRfPvNZh9tTDnAik05JsYvPZFPCMMRiUZDq3+ytZ+sdVhZrQUgzlmcnppVovb+F3tF0= Received: by 10.48.230.18 with SMTP id c18mr3872610nfh; Wed, 11 Oct 2006 14:53:28 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Wed, 11 Oct 2006 14:53:28 -0700 (PDT) Message-ID: Date: Wed, 11 Oct 2006 22:53:28 +0100 From: "Spiros Papadopoulos" To: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 21:54:00 -0000 Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 12 03:40:43 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3D2116A403; Thu, 12 Oct 2006 03:40:43 +0000 (UTC) (envelope-from mwjose@optusnet.com.au) Received: from mail13.syd.optusnet.com.au (mail13.syd.optusnet.com.au [211.29.132.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BBF943D45; Thu, 12 Oct 2006 03:40:42 +0000 (GMT) (envelope-from mwjose@optusnet.com.au) Received: from maf (c220-237-188-186.frank1.vic.optusnet.com.au [220.237.188.186]) by mail13.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k9C3eeoY025055; Thu, 12 Oct 2006 13:40:41 +1000 From: "Mark Jose" To: "'Spiros Papadopoulos'" , , Date: Thu, 12 Oct 2006 13:40:40 +1000 Message-ID: <000101c6edb0$30dacaf0$0400a8c0@maf> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: Thread-Index: Acbtf/jzDlq2RovxQI+5V8quzlmGfwAMDFFw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Cc: Subject: RE: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 03:40:44 -0000 Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 12 07:30:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 020B016A4E2; Thu, 12 Oct 2006 07:30:17 +0000 (UTC) (envelope-from sales@webignite.net) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3D3D43D60; Thu, 12 Oct 2006 07:30:13 +0000 (GMT) (envelope-from sales@webignite.net) X-ORBL: [69.225.194.103] Received: from ChrisLaptop (adsl-69-225-194-103.dsl.scrm01.pacbell.net [69.225.194.103]) by ylpvm43.prodigy.net (8.13.8 out.dk.spool/8.13.8) with ESMTP id k9C7U6Bh009100; Thu, 12 Oct 2006 03:30:11 -0400 From: "Chris - WEBignite" To: , Date: Thu, 12 Oct 2006 00:30:08 -0700 Message-ID: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 thread-index: Acbtf/jzDlq2RovxQI+5V8quzlmGfwAMDFFwAAfgJdA= In-Reply-To: <000101c6edb0$30dacaf0$0400a8c0@maf> Cc: Subject: RE: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 07:30:18 -0000 I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 12 09:15:41 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAAF816A403 for ; Thu, 12 Oct 2006 09:15:41 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8335C43D60 for ; Thu, 12 Oct 2006 09:15:24 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so1063655nfc for ; Thu, 12 Oct 2006 02:15:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=FvD6p4WZxg2ItUJimLL/onhCKL0PsoSPAzvYjsIt+MXKkLHyi7enwLxFzFOA8G4kg4BdmgF+1HMAyP9jXTzTIEl14DWmb+P904rsbydg+lSR8xH8vsXjUvSOBdtRiEiYPMDxvCfteMcQm8/coD4vlzPuhVA1x120nA1Yv9kXdc4= Received: by 10.48.254.10 with SMTP id b10mr4702314nfi; Thu, 12 Oct 2006 02:15:22 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Thu, 12 Oct 2006 02:15:18 -0700 (PDT) Message-ID: Date: Thu, 12 Oct 2006 10:15:18 +0100 From: "Spiros Papadopoulos" To: "Chris - WEBignite" In-Reply-To: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> MIME-Version: 1.0 References: <000101c6edb0$30dacaf0$0400a8c0@maf> <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 09:15:41 -0000 On 12/10/06, Chris - WEBignite wrote: > > I've actually just started seeing this same error. I do have a rule set > for > local 127.0.0.1 and an allow for layer2 traffic. > > Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission > denied Yes this is the same exactly message i got. I get this error when updating my firewall rules via ssh. Any current ssh > connections are dropped, but I'm able to reinitiate a new connection > without > trouble. > > -Chris The only difference is that i could not su to root so i could not update any rules remotely. I could login to a normal user account properly though -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org > ] > On Behalf Of Mark Jose > Sent: Wednesday, October 11, 2006 8:41 PM > To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; > freebsd-ipfw@freebsd.org > Subject: RE: Problems with ipfw and ssh > > Hi, > > Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined > to allow all traffic? Well actually i copied the following rules from /etc/rc.firewall plus the comment (..because of the comment!) without thinking of it too much and i consider them trusty and i never thought they could cause any problem. Are you suggesting that these rules may be the reason for this? # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any Unfortunately i will not be on the machine for the next 7 or so hrs > Cheers > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto: > owner-freebsd-ipfw@freebsd.org] > On Behalf Of Spiros Papadopoulos > Sent: Thursday, 12 October 2006 7:53 AM > To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org > Subject: Problems with ipfw and ssh > > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD > 5.4. > Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still > i believe i understand exactly the > concepts and what needs to be done. > Except the manual page and chapter 26.1 in the handbook I am using good > references such as: > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where i > get > the problem: > > Initially i can connect properly using a normal user account. > When later i am trying to su to root it does nothing and the connection > closes. > > I have ipfw enabled in the kernel to deny everything by default. > I have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules > and also other combinations, such as taking off setup and keep-state etc > etc > which would then make my firewall stateless as far as i understood, which > is > something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. > > I run the sshd in debug mode and below is the portion, for when i am > trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > And here are related logs: > > /* line from /var/log/messages */ > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission > denied > > /* /var/log/auth.log */ > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port > 1545 > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam > for > user from xxx.xxx.xxx.xx port 1545 ssh2 > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > xxx.xxx.xxx.xx: Connection reset by peer > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > xxx.xxx.xxx.xx: Operation timed out > > Is it trying to write to a > socket? I cannot see what is trying to do and the permission is denied > (of course maybe it is in front of me..but..) > Could anyone please advice? > > Thanks in advance > Spiros > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to " freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > -- Spiros Papadopoulos From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 12 19:01:48 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2918A16A403 for ; Thu, 12 Oct 2006 19:01:48 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from pandora.routing.ro (thunder.lsstelecom.ro [194.117.236.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1773743D8C for ; Thu, 12 Oct 2006 19:01:03 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: (qmail 11853 invoked by uid 1010); 12 Oct 2006 21:57:38 +0300 Received: from 88.158.112.6 by pandora (envelope-from , uid 1007) with qmail-scanner-LSS (clamdscan: 0.88/1337. spamassassin: 3.1.1. perlscan: 1.25-st-qms. Clear:RC:1(88.158.112.6):. Processed in 2.663403 secs); 12 Oct 2006 18:57:38 -0000 LSS-Antivirus-Mail-From: vladone@spaingsm.com via pandora LSS-Antivirus: LSS (Clear:RC:1(88.158.112.6):. Processed in 2.663403 secs Process 11846/11803) Received: from 6.112.158.88.radiocom.ro (HELO localhost) (vladone@spaingsm.com@88.158.112.6) by mail.lsstelecom.ro with SMTP; 12 Oct 2006 21:57:36 +0300 Date: Thu, 12 Oct 2006 22:00:55 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <116110828.20061012220055@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 19:01:48 -0000 Hello Spiros, Thursday, October 12, 2006, 12:53:28 AM, you wrote: > Hi, > I am trying to configure a firewall using ipfw for a machine running FreeBSD > 5.4. > Without NAT. > I am nearly a newbie on this (since i never had time until now..) but still > i believe i understand exactly the > concepts and what needs to be done. > Except the manual page and chapter 26.1 in the handbook I am using good > references such as: > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > I need to connect remotely to the machine using ssh and this is where i get > the problem: > Initially i can connect properly using a normal user account. > When later i am trying to su to root it does nothing and the connection > closes. > I have ipfw enabled in the kernel to deny everything by default. > I have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules > and also other combinations, such as taking off setup and keep-state etc etc > which would then make my firewall stateless as far as i understood, which is > something i don't want anyway. > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > And here are related logs: > /* line from /var/log/messages */ > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied > /* /var/log/auth.log */ > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port > 1545 > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for > user from xxx.xxx.xxx.xx port 1545 ssh2 > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > xxx.xxx.xxx.xx: Connection reset by peer > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > xxx.xxx.xxx.xx: Operation timed out > Is it trying to write to a > socket? I cannot see what is trying to do and the permission is denied > (of course maybe it is in front of me..but..) > Could anyone please advice? > Thanks in advance > Spiros > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Isn't very clear. U can connect, and then when try to switch to root, your connection is lost? Or after some inactivity? Try firs to leave ipfw open, and test ssh to be shure that this one work right. Then use ipfw, i think that the right form for what u want is (acording with documentation): add 1000 check-state add 2000 allow tcp from any to any 22 in setup keep-state -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 12 20:22:57 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E058216A600 for ; Thu, 12 Oct 2006 20:22:57 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 074A343D45 for ; Thu, 12 Oct 2006 20:22:56 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so1263139nfc for ; Thu, 12 Oct 2006 13:22:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=fFzwoe3nnOA4XkrFzg9e+lEdW/gIIan3LtLivXJhyymcQZAgCDyxo7/EhgTRxtbQ8PBr/iavdxwm5bftLPNBDXo3AIRQKy9uJMaqVH4r9nihZ+e/UcS+6AdsuPThKb0LQdIX6VqW6A1npFGICmNkxuINh2sWPf2PHLzd2aNgZtQ= Received: by 10.48.210.20 with SMTP id i20mr5707024nfg; Thu, 12 Oct 2006 13:22:55 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Thu, 12 Oct 2006 13:22:55 -0700 (PDT) Message-ID: Date: Thu, 12 Oct 2006 21:22:55 +0100 From: "Spiros Papadopoulos" To: vladone In-Reply-To: <116110828.20061012220055@spaingsm.com> MIME-Version: 1.0 References: <116110828.20061012220055@spaingsm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ipfw@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 20:22:58 -0000 Thanks for your replies, On 12/10/06, *Chris* wrote: >If you have your kernel set to deny all by default, you can set a rule number >65534 to allow any to any >as rule 65535 will deny any to any >Then work your way back from there. Could you please make the above last part of your though more clear for me? I already have done what you said and i can su normally. So there is definitely something that must be allowed before which i am not aware of and from the messages and behaviour i get i cannot identify. On 12/10/06, vladone wrote: > > Hello Spiros, > > Thursday, October 12, 2006, 12:53:28 AM, you wrote: > > > Hi, > > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD > > 5.4. > > Without NAT. > > > I am nearly a newbie on this (since i never had time until now..) but > still > > i believe i understand exactly the > > concepts and what needs to be done. > > Except the manual page and chapter 26.1 in the handbook I am using good > > references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > > I need to connect remotely to the machine using ssh and this is where i > get > > the problem: > > > Initially i can connect properly using a normal user account. > > When later i am trying to su to root it does nothing and the connection > > closes. > > > I have ipfw enabled in the kernel to deny everything by default. > > I have used both (one at a time) the following rules concerning ssh, in > > /etc/ipfw.rules > > and also other combinations, such as taking off setup and keep-state etc > etc > > which would then make my firewall stateless as far as i understood, > which is > > something i don't want anyway. > > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > keep-state > > - > > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > > In a first investigation (not thorough) i found this post: > > http://www.freebsdforums.org/forums/showthread.php?t=21876 > > where from, i cannot realize what is wrong or how to fix this. > > > I run the sshd in debug mode and below is the portion, for when i am > trying > > to su to root > > > /* sshd -d */ > > Write failed: Permission denied > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > > And here are related logs: > > > /* line from /var/log/messages */ > > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission > denied > > > /* /var/log/auth.log */ > > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xxport > > 1545 > > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam > for > > user from xxx.xxx.xxx.xx port 1545 ssh2 > > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > > xxx.xxx.xxx.xx: Connection reset by peer > > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > > xxx.xxx.xxx.xx: Operation timed out > > > Is it trying to write to a > > socket? I cannot see what is trying to do and the permission is denied > > (of course maybe it is in front of me..but..) > > Could anyone please advice? > > > Thanks in advance > > Spiros > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > > "freebsd-ipfw-unsubscribe@freebsd.org" > Isn't very clear. U can connect, and then when try to switch to root, > your connection is lost? Yes It is not doing anything and gives me the message i mentioned earlier Or after some inactivity? > Try firs to leave ipfw open, and test ssh to be shure that this one > work right. Then use ipfw, i think that the right form for what u > want is (acording with documentation): > add 1000 check-state > add 2000 allow tcp from any to any 22 in setup keep-state I have used my laptop with the same fbsd version and sshd for months and I am sure it works if ipfw is off. Also it works when adding the rule mentioned above I have tried to capture the packets coming in and out with tcpdump just before and after the permission denied mesg, but I suppose i could not "see" any blocked ones. Other small changes to the existing rules made things worst..not better. I am still not sure what it's trying to do and is denied and i have in mind the reply i got yesterday that it worked as is in a fbsd7.0. I have a second machine running the same fbsd 5.4 (but amd64) version which is next to test. I was expecting this to be easier and solved by now... -- > Best regards, > vladone mailto:vladone@spaingsm.com > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to " freebsd-ipfw-unsubscribe@freebsd.org" > Thanks Spiros Papadopoulos From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 13 03:21:57 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9436416A407 for ; Fri, 13 Oct 2006 03:21:57 +0000 (UTC) (envelope-from mwjose@optusnet.com.au) Received: from mail25.syd.optusnet.com.au (mail25.syd.optusnet.com.au [211.29.133.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9329B43D5D for ; Fri, 13 Oct 2006 03:21:53 +0000 (GMT) (envelope-from mwjose@optusnet.com.au) Received: from maf (c220-237-188-186.frank1.vic.optusnet.com.au [220.237.188.186]) by mail25.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k9D3LpK3017589 for ; Fri, 13 Oct 2006 13:21:51 +1000 From: "Mark Jose" To: Date: Fri, 13 Oct 2006 13:21:49 +1000 Message-ID: <000001c6ee76$ba183ca0$0400a8c0@maf> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acbtf/jzDlq2RovxQI+5V8quzlmGfwAMDFFwAAfgJdAAHYfzcA== In-Reply-To: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Subject: RE: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 03:21:57 -0000 >I get this error when updating my firewall rules via ssh. Any current ssh >connections are dropped, but I'm able to reinitiate a new connection without >trouble. What you describe is expected activity when changing firewall rules. What isn't expected is the "Permission denied" bit. Can someone post their rules so we can check them out? -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Chris - WEBignite Sent: Thursday, 12 October 2006 5:30 PM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 13 07:28:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2DDC16A412 for ; Fri, 13 Oct 2006 07:28:18 +0000 (UTC) (envelope-from aoga@mail.Linux-Consulting.com) Received: from Mail.Linux-Consulting.com (Mail.linux-consulting.com [157.22.35.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C53543D55 for ; Fri, 13 Oct 2006 07:28:18 +0000 (GMT) (envelope-from aoga@mail.Linux-Consulting.com) Received: from Maggie.Linux-Consulting.com (localhost [127.0.0.1]) by Mail.Linux-Consulting.com (8.12.11/8.12.11/check_local-5) with ESMTP id k9D7SHtx028225; Fri, 13 Oct 2006 00:28:17 -0700 Received: (from aoga@localhost) by Maggie.Linux-Consulting.com (8.12.11/8.12.11/Submit) id k9D7SHgP028224; Fri, 13 Oct 2006 00:28:17 -0700 From: Alvin Oga Message-Id: <200610130728.k9D7SHgP028224@Maggie.Linux-Consulting.com> To: freebsd-ipfw@freebsd.org Date: Fri, 13 Oct 2006 00:28:16 -0700 (PDT) X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Alvin Oga Subject: Re: ipfw versions - /usr/src/sbin - solved X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 07:28:18 -0000 hi andrey - solved ... Forwarded message: > > > Andrey V. Elsukov wrote: > ... > > > Which FreeBSD version you use? > > > i'm using a generic freebsd-6.1 ( from its official cd ) > > > > i have done portupgrades -arR but nothing more to the system > > > > i have modified the default GENERIC kernel to DUMMYNET.nn > > that includes IPFIREWALL > > ... > > > And why you want to use another version of ipfw? > > > > i need to change the lines: > > # > > # line 3484 in ipfw2.c v1.99 > > # > > if ( p.fs.qsize > 100 ) > > errx ( EX_DATAERR, "2 <= queue size <= 100 ) > > the 100 need to be changed to 10,000 to allow for a bigger queue > according to the customer that wants to use ipfw + dummynet for > testing gigE thruput yes ... hopefully, we'll be changing the related/affected values > > Please, provide output of these commands: > > # uname -a > > FreeBSD FreeBSD2.BSD-Consulting.org 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Thu Oct 5 00:43:06 PDT 2006 root@FreeBSD2.BSD-Consulting.org:/usr/src/sys/i386/compile/DUMMYNET.nn i386 > > > # sysctl kern | grep osrel > > ysctl kern | grep osrel > kern.osrelease: 6.1-RELEASE > kern.osreldate: 601000 > > > # grep ^REV /usr/src/sys/conf/newvers.sh > > REVISION="6.1" > > > # ident /usr/src/sbin/ipfw/ipfw2.c > > # > # remember that i did a cvs checkout for this version > # in /usr/src/sbin where i created /usr/src/sbin that didn't exist > # > /usr/src/sbin/ipfw/ipfw2.c: > $FreeBSD: /repoman/r/ncvs/src/sbin/ipfw/ipfw2.c,v 1.99 2006/09/29 08:00:40 maxim Exp $ > > > # ident /usr/src/sys/netinet/ip_fw.h > > /usr/src/sys/netinet/ip_fw.h: > $FreeBSD: src/sys/netinet/ip_fw.h,v 1.100.2.3 2006/02/17 16:46:47 ru Exp $ .... > # > # my cvs checkout of ipfw > # > cd /usr/src/sbin > setenv CVSROOT freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs > setenv CVS_RSH ssh > cvs co ipfw per your online reply, that i didnt see, looks like the proper cvs command is: cvs co -r RELENG_6_1 ipfw now it compiles under freebsd-6.1 and i've made the changes to p.fs.qsize > # cvs checkout: Updating ipfw > # U ipfw/Makefile > # U ipfw/ipfw.8 > # U ipfw/ipfw2.c > # > # End of stuff > thanx alvin From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 13 07:43:15 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C1AB16A416; Fri, 13 Oct 2006 07:43:15 +0000 (UTC) (envelope-from Tyrone@TelecityRedbus.se) Received: from s200aog12.obsmtp.com (s200aog12.obsmtp.com [207.126.144.126]) by mx1.FreeBSD.org (Postfix) with SMTP id E8B2B43D8B; Fri, 13 Oct 2006 07:43:13 +0000 (GMT) (envelope-from Tyrone@TelecityRedbus.se) Received: from source ([195.149.172.5]) by eu1sys200aob012.postini.com ([207.126.147.11]) with SMTP; Fri, 13 Oct 2006 07:43:12 UTC Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Fri, 13 Oct 2006 09:43:11 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NAT EXPIRE: IPSEC IPFILTER Thread-Index: Acbum29qfxtxTK6hSEqAPh85RY8dOw== From: To: , Cc: Subject: NAT EXPIRE: IPSEC IPFILTER X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 07:43:15 -0000 Hi, I know this is the IPFW mailing list, just thought I'd give it a try anyway. I'm running a FreeBSD FW and connecting to a remote office using IPSEC. My tunnels are fine for about ten minutes and then I get a NAT EXPIRE: and the tunnel is torn down. How can I increase the expiration time? Regards Tyrone This e-mail is intended only for the use of the addressees named above an= d may be confidential. = If you are not an addressee you must not use any information contained in= nor copy it nor inform any person other than the addressees of its exist= ence or contents. = =0D From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 13 08:58:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54A7616A407 for ; Fri, 13 Oct 2006 08:58:24 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4101143D55 for ; Fri, 13 Oct 2006 08:58:23 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so1459006nfc for ; Fri, 13 Oct 2006 01:58:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=mNIEVv2PwdZyKb80SbQtNnTeGunhVyCInqb5MK5fzXMsL/39cPVxnGMJfLYRjCi3r8KaUNUKO6M9LCMjISjNcgKaIS72zNd9LS83/4pidqWtlR41c0vGvpz1By/HIEEXGUAJAxZTrpfeHwmFfWuI1G3SaMBqR7x0E6q+h5SA+kM= Received: by 10.49.8.10 with SMTP id l10mr6650074nfi; Fri, 13 Oct 2006 01:58:21 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Fri, 13 Oct 2006 01:58:21 -0700 (PDT) Message-ID: Date: Fri, 13 Oct 2006 09:58:21 +0100 From: "Spiros Papadopoulos" To: "Mark Jose" In-Reply-To: <000001c6ee76$ba183ca0$0400a8c0@maf> MIME-Version: 1.0 References: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> <000001c6ee76$ba183ca0$0400a8c0@maf> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 08:58:24 -0000 On 13/10/06, Mark Jose wrote: > > >I get this error when updating my firewall rules via ssh. Any current ssh > >connections are dropped, but I'm able to reinitiate a new connection > without > >trouble. > > What you describe is expected activity when changing firewall rules. What > isn't expected is the "Permission denied" bit. Can someone post their > rules > so we can check them out? Hi, Ok below are the first two posts i posted when i had this error. I was adviced and more or less new that i shouldn't post questions to freebsd-ipfw, so first an operator of the list took ipfw out and then i tried not to included it again. However i received back some replies which had the address and then things got messed up since i didn't notice on time (half of the messages were sent..) I send you *only* the posts i posted that describe the error, some logs and the ruleset which is actually really primitive. What i finally did about this is that now i allow everything and i may add a 65534 rule to deny everything when this is what i want, which indeed i find a better idea. The thing is that I got a reply that the rules worked as is in a fbsd7.0box. I wouldn't post in the first place, but i spent a whole evening trying to understand what is it trying to do and the permission is denied. After i added a rule 65534 to allow everything from everywhere i could su... So i am more or less sure that there is some rule that i had to add which was missing. I hope this helps but if you need more details let me know. Regards, Spiros ============================================================ Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? ======================================================== I started yesterday playing with it / testing it, but since i want to do most of the work remotely, i stuck on this rule and feel like keep looking until i find the solution. I paste the whole script here just in case something else is wrong... Here is my ipfw.rules file: #!/bin/sh # rules commmand prefix addcmd="/sbin/ipfw -q add" # and the interface if="xl0" # details of this computer ip="192.168.1.199" net="192.168.1.0" mask="255.255.255.0" bcast="192.168.1.255" nic="sk0" ks="keep-state" # Flush out the list /sbin/ipfw -q -f flush if [ "$1" = "allowall" ] then ${addcmd} 100 allow all from any to any via ${nic} exit 0 else # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any # At the moment don't allow it #${addcmd} 400 allow all from ${ip} to ${net}:${mask} #${addcmd} 500 allow all from ${net}:${mask} to ${ip} # Allow only specific stuff and maintain the firewall for as long # as needed to become tough enough # check state and keep it ${addcmd} 200 check-state ${addcmd} 210 allow tcp from me to any setup ${ks} ${addcmd} 211 allow udp from me to any ${ks} ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 ${addcmd} 212 allow icmp from me to any # Allow Traffic to my ISP DNS server ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} # Allow ssh from anywhere #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks} #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} # Everything else is denied ${addcmd} 65535 deny all from any to ${ip} exit 0 fi Thanks Spiros ================================================================