Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Oct 2006 09:58:21 +0100
From:      "Spiros Papadopoulos" <>
To:        "Mark Jose" <>
Subject:   Re: Problems with ipfw and ssh
Message-ID:  <>
In-Reply-To: <000001c6ee76$ba183ca0$0400a8c0@maf>
References:  <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> <000001c6ee76$ba183ca0$0400a8c0@maf>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 13/10/06, Mark Jose <> wrote:
> >I get this error when updating my firewall rules via ssh. Any current ssh
> >connections are dropped, but I'm able to reinitiate a new connection
> without
> >trouble.
> What you describe is expected activity when changing firewall rules. What
> isn't expected is the "Permission denied" bit. Can someone post their
> rules
> so we can check them out?


Ok below are the first two posts i posted when i had this error. I was
adviced and more or less new that i shouldn't post questions to
freebsd-ipfw, so first an operator of the list took ipfw out and then i
tried not to included it again. However i received back some replies which
had the address and then things got messed up since i didn't notice on time
(half of the messages were sent..)

I send you *only* the posts i posted that describe the error, some logs and
the ruleset which is actually really primitive.

What i finally did about this is that now i allow everything and i may add a
65534 rule to deny everything when this is what i
want, which indeed i find a better idea.
The thing is that I got a reply that the rules worked as is in a fbsd7.0box.

I wouldn't post in the first place, but i spent a whole evening trying to
understand what is it trying to do and the permission is denied.
After i added a rule 65534 to allow everything from everywhere i could su...
So i am more or less sure that there is some rule that i had to add
which was missing.

I hope this helps but if you need more details let me know.

Regards, Spiros


I am trying to configure a firewall using ipfw for a machine running FreeBSD
Without NAT.

I am nearly a newbie on this (since i never had time until now..) but still
i believe i understand exactly the
concepts and what needs to be done.
Except the manual page and chapter 26.1 in the handbook I am using good
references such as:

I need to connect remotely to the machine using ssh and this is where i get
the problem:

Initially i can connect properly using a normal user account.
When later i am trying to su to root it does nothing and the connection

I have ipfw enabled in the kernel to deny everything by default.
I have used both (one at a time) the following rules concerning ssh, in
and also other combinations, such as taking off setup and keep-state etc etc
which would then make my firewall stateless as far as i understood, which is
something i don't want anyway.

${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state

In a first investigation (not thorough) i found this post:
where from, i cannot realize what is wrong or how to fix this.

I run the sshd in debug mode and below is the portion, for when i am trying
to su to root

/* sshd -d */
Write failed: Permission denied
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: session_pty_cleanup: session 0 release /dev/ttyp7

And here are related logs:

/* line from /var/log/messages */
Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied

/* /var/log/auth.log */
Sep 26 11:17:34 username sshd[50073]: Connection from port
Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for
user from port 1545 ssh2
Sep 26 10:17:49 username su: user to root on /dev/ttyp4
Sep 26 11:17:51 username sshd[50068]: Read error from remote host Connection reset by peer
Sep 26 13:29:40 username sshd[50076]: Read error from remote host Operation timed out

Is it trying to write to a
socket? I cannot see what is trying to do and the permission is denied
(of course maybe it is in front of me..but..)

Could anyone please advice?


I started yesterday playing with it / testing it, but since i want to
do most of the work remotely, i stuck on this rule and feel like keep
looking until i find the solution. I paste the whole script here just
in case something else is wrong...
Here is my ipfw.rules file:


# rules commmand prefix
addcmd="/sbin/ipfw -q add"

# and the interface

# details of this computer


# Flush out the list
/sbin/ipfw -q -f flush

if [ "$1" = "allowall" ]
       ${addcmd} 100 allow all from any to any via ${nic}
       exit 0
       # Only in rare cases do you want to change these rules
       ${addcmd} 50 allow all from any to any via lo0
       ${addcmd} 100 deny all from any to
       ${addcmd} 150 deny ip from to any

       # At the moment don't allow it
       #${addcmd} 400 allow all from ${ip} to ${net}:${mask}
       #${addcmd} 500 allow all from ${net}:${mask} to ${ip}

       # Allow only specific stuff and maintain the firewall for as long
       # as needed to become tough enough

       # check state and keep it
       ${addcmd} 200 check-state

       ${addcmd} 210 allow tcp from me to any setup ${ks}
       ${addcmd} 211 allow udp from me to any ${ks}

       ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
       ${addcmd} 212 allow icmp from me to any

       # Allow Traffic to my ISP DNS server
       ${addcmd} 250 allow udp from ${ip} to 53 out via ${nic}
       ${addcmd} 251 allow udp from to ${ip} 53 in via ${nic}

       # Allow ssh from anywhere
       #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup
       #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks}
       ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
       # Everything else is denied
       ${addcmd} 65535 deny all from any to ${ip}
       exit 0



Want to link to this message? Use this URL: <>