From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 13 08:58:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54A7616A407 for ; Fri, 13 Oct 2006 08:58:24 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4101143D55 for ; Fri, 13 Oct 2006 08:58:23 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so1459006nfc for ; Fri, 13 Oct 2006 01:58:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=mNIEVv2PwdZyKb80SbQtNnTeGunhVyCInqb5MK5fzXMsL/39cPVxnGMJfLYRjCi3r8KaUNUKO6M9LCMjISjNcgKaIS72zNd9LS83/4pidqWtlR41c0vGvpz1By/HIEEXGUAJAxZTrpfeHwmFfWuI1G3SaMBqR7x0E6q+h5SA+kM= Received: by 10.49.8.10 with SMTP id l10mr6650074nfi; Fri, 13 Oct 2006 01:58:21 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Fri, 13 Oct 2006 01:58:21 -0700 (PDT) Message-ID: Date: Fri, 13 Oct 2006 09:58:21 +0100 From: "Spiros Papadopoulos" To: "Mark Jose" In-Reply-To: <000001c6ee76$ba183ca0$0400a8c0@maf> MIME-Version: 1.0 References: <008f01c6edd0$3f520c40$0200a8c0@ChrisLaptop> <000001c6ee76$ba183ca0$0400a8c0@maf> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 08:58:24 -0000 On 13/10/06, Mark Jose wrote: > > >I get this error when updating my firewall rules via ssh. Any current ssh > >connections are dropped, but I'm able to reinitiate a new connection > without > >trouble. > > What you describe is expected activity when changing firewall rules. What > isn't expected is the "Permission denied" bit. Can someone post their > rules > so we can check them out? Hi, Ok below are the first two posts i posted when i had this error. I was adviced and more or less new that i shouldn't post questions to freebsd-ipfw, so first an operator of the list took ipfw out and then i tried not to included it again. However i received back some replies which had the address and then things got messed up since i didn't notice on time (half of the messages were sent..) I send you *only* the posts i posted that describe the error, some logs and the ruleset which is actually really primitive. What i finally did about this is that now i allow everything and i may add a 65534 rule to deny everything when this is what i want, which indeed i find a better idea. The thing is that I got a reply that the rules worked as is in a fbsd7.0box. I wouldn't post in the first place, but i spent a whole evening trying to understand what is it trying to do and the permission is denied. After i added a rule 65534 to allow everything from everywhere i could su... So i am more or less sure that there is some rule that i had to add which was missing. I hope this helps but if you need more details let me know. Regards, Spiros ============================================================ Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? ======================================================== I started yesterday playing with it / testing it, but since i want to do most of the work remotely, i stuck on this rule and feel like keep looking until i find the solution. I paste the whole script here just in case something else is wrong... Here is my ipfw.rules file: #!/bin/sh # rules commmand prefix addcmd="/sbin/ipfw -q add" # and the interface if="xl0" # details of this computer ip="192.168.1.199" net="192.168.1.0" mask="255.255.255.0" bcast="192.168.1.255" nic="sk0" ks="keep-state" # Flush out the list /sbin/ipfw -q -f flush if [ "$1" = "allowall" ] then ${addcmd} 100 allow all from any to any via ${nic} exit 0 else # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any # At the moment don't allow it #${addcmd} 400 allow all from ${ip} to ${net}:${mask} #${addcmd} 500 allow all from ${net}:${mask} to ${ip} # Allow only specific stuff and maintain the firewall for as long # as needed to become tough enough # check state and keep it ${addcmd} 200 check-state ${addcmd} 210 allow tcp from me to any setup ${ks} ${addcmd} 211 allow udp from me to any ${ks} ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 ${addcmd} 212 allow icmp from me to any # Allow Traffic to my ISP DNS server ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} # Allow ssh from anywhere #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks} #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} # Everything else is denied ${addcmd} 65535 deny all from any to ${ip} exit 0 fi Thanks Spiros ================================================================