From owner-freebsd-questions@FreeBSD.ORG Wed Oct 11 22:53:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7222916A403 for ; Wed, 11 Oct 2006 22:53:05 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id B83C843D46 for ; Wed, 11 Oct 2006 22:53:04 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so887021nfc for ; Wed, 11 Oct 2006 15:53:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XgWw7d85PjeahKZZASjP0hczL12PDA+LfY1/GuCdUEyzOySBC5FVFjItRqFUAKXdQNjvaJNGB70HMliO5M8CKljhmoij4fG2aQXSKzUgsW07z8KmcKHClF/OSL1l4OsWnsa3VseyGn459owV0pSsHsMuOT+kJz+Zi8+ryz+9CcQ= Received: by 10.49.41.12 with SMTP id t12mr2096373nfj; Wed, 11 Oct 2006 15:53:02 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Wed, 11 Oct 2006 15:53:02 -0700 (PDT) Message-ID: Date: Thu, 12 Oct 2006 00:53:02 +0200 From: "Spiros Papadopoulos" To: "Giorgos Keramidas" In-Reply-To: <20061011220815.GA83773@gothmog.pc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061011220815.GA83773@gothmog.pc> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:53:05 -0000 Giorgo thanks for the immediate reply, I started yesterday playing with it / testing it, but since i want to do most of the work remotely, i stuck on this rule and feel like keep looking until i find the solution. I paste the whole script here just in case something else is wrong... Here is my ipfw.rules file: /** Sorry for the delay. In the meanwhile, just before sent the mail something else happened. Taking in account what you told me about the "state" keyword, i added it to the rule 300. Then i could not connect at all. I tried to take it off again, but surprisingly it still doesn't allow any connections at all (not even the user this time), hmmm... I am sending it as it was initially, which from yesterday until my first e-mail it was working as described previously...Now also when i run the script with the "allowall" option gives me problems, when it was working before. I can ping the machine and get replies but i cannot ssh to it. It seems that i am doing something wrong but cannot identify where */ #!/bin/sh # rules commmand prefix addcmd="/sbin/ipfw -q add" # and the interface if="xl0" # details of this computer ip="192.168.1.199" net="192.168.1.0" mask="255.255.255.0" bcast="192.168.1.255" nic="sk0" ks="keep-state" # Flush out the list /sbin/ipfw -q -f flush if [ "$1" = "allowall" ] then ${addcmd} 100 allow all from any to any via ${nic} exit 0 else # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any # At the moment don't allow it #${addcmd} 400 allow all from ${ip} to ${net}:${mask} #${addcmd} 500 allow all from ${net}:${mask} to ${ip} # Allow only specific stuff and maintain the firewall for as long # as needed to become tough enough # check state and keep it ${addcmd} 200 check-state ${addcmd} 210 allow tcp from me to any setup ${ks} ${addcmd} 211 allow udp from me to any ${ks} ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 ${addcmd} 212 allow icmp from me to any # Allow Traffic to my ISP DNS server ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} # Allow ssh from anywhere #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks} #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} # Everything else is denied ${addcmd} 65535 deny all from any to ${ip} exit 0 fi Thanks Spiros On 12/10/06, Giorgos Keramidas wrote: > I removed freebsd-ipfw from the recipient list. Please keep `general' > questions in freebsd-questions. The freebsd-ipfw list is, as far as I > know, used for *development* of IPFW; not questions. > > On 2006-10-11 22:53, Spiros Papadopoulos wrote: > > Hi, > > > > I am trying to configure a firewall using ipfw for a machine running > > FreeBSD 5.4. Without NAT. > > > > I am nearly a newbie on this (since i never had time until now..) but > > still i believe i understand exactly the concepts and what needs to be > > done. Except the manual page and chapter 26.1 in the handbook I am > > using good references such as: > > > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > > > I need to connect remotely to the machine using ssh and this is where > > i get the problem: > > > > Initially i can connect properly using a normal user account. When > > later i am trying to su to root it does nothing and the connection > > closes. > > Can you show us the full IPFW ruleset you are using? > > > I have ipfw enabled in the kernel to deny everything by default. I > > have used both (one at a time) the following rules concerning ssh, in > > /etc/ipfw.rules and also other combinations, such as taking off setup > > and keep-state etc etc which would then make my firewall stateless as > > far as i understood, which is something i don't want anyway. > > > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > > - > > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > The second seems wrong, unless you also have 'setup' rules elsewhere. > > > In a first investigation (not thorough) i found this post: > > http://www.freebsdforums.org/forums/showthread.php?t=21876 > > where from, i cannot realize what is wrong or how to fix this. > > The initial ruleset of this forum thread has a few bugs, which I'm not > interested in pointing out one by one right now. Just ignore most of it. > > > I run the sshd in debug mode and below is the portion, for when i am trying > > to su to root > > > > /* sshd -d */ > > Write failed: Permission denied > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we > can try to find out why/when/where packets can be blocked. > > -- Spiros Papadopoulos