Date: Thu, 12 Oct 2006 01:31:42 +0100 From: "Spiros Papadopoulos" <spap13@googlemail.com> To: "Giorgos Keramidas" <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh Message-ID: <dab71e150610111731p520f5fa4yb00292c034d5ee67@mail.gmail.com> In-Reply-To: <20061011234720.GA84405@gothmog.pc> References: <dab71e150610111453m39c6bdb8ia846b3c4b39c4e08@mail.gmail.com> <20061011220815.GA83773@gothmog.pc> <dab71e150610111553r405ece01y607687b2d39e772c@mail.gmail.com> <20061011234720.GA84405@gothmog.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/10/06, Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
> On 2006-10-12 00:53, Spiros Papadopoulos <spap13@googlemail.com> wrote:
> > I started yesterday playing with it / testing it, but since i
> > want to do most of the work remotely, i stuck on this rule and
> > feel like keep looking until i find the solution. I paste the
> > whole script here just in case something else is wrong... Here
> > is my ipfw.rules file:
> >
> > /** Sorry for the delay. In the meanwhile, just before sent the
> > mail something else happened. Taking in account what you told
> > me about the "state" keyword, i added it to the rule 300. Then
> > i could not connect at all. I tried to take it off again, but
> > surprisingly it still doesn't allow any connections at all (not
> > even the user this time), hmmm... I am sending it as it was
> > initially, which from yesterday until my first e-mail it was
> > working as described previously...Now also when i run the
> > script with the "allowall" option gives me problems, when it
> > was working before. I can ping the machine and get replies but
> > i cannot ssh to it. It seems that i am doing something wrong
> > but cannot identify where */
> >
> > #!/bin/sh
> >
> > # rules commmand prefix
> > addcmd="/sbin/ipfw -q add"
> >
> > # and the interface
> > if="xl0"
> >
> > # details of this computer
> > ip="192.168.1.199"
> > net="192.168.1.0"
> > mask="255.255.255.0"
> > bcast="192.168.1.255"
> >
> > nic="sk0"
> > ks="keep-state"
> >
> > # Flush out the list
> > /sbin/ipfw -q -f flush
> >
> > if [ "$1" = "allowall" ]
> > then
> > ${addcmd} 100 allow all from any to any via ${nic}
> > exit 0
> > else
> > # Only in rare cases do you want to change these rules
> > ${addcmd} 50 allow all from any to any via lo0
> > ${addcmd} 100 deny all from any to 127.0.0.0/8
> > ${addcmd} 150 deny ip from 127.0.0.0/8 to any
>
> These look ok.
>
> > # At the moment don't allow it
> > #${addcmd} 400 allow all from ${ip} to ${net}:${mask}
> > #${addcmd} 500 allow all from ${net}:${mask} to ${ip}
>
> Not sure why these are needed (but they are commented out).
They are meant to allow all traffic from net 192.168.1.0 and were
commented out temporarily. I just sent the script as it was.
>
> > # Allow only specific stuff and maintain the firewall for as long
> > # as needed to become tough enough
> >
> > # check state and keep it
> > ${addcmd} 200 check-state
> >
> > ${addcmd} 210 allow tcp from me to any setup ${ks}
> > ${addcmd} 211 allow udp from me to any ${ks}
> >
> > ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
> > ${addcmd} 212 allow icmp from me to any
> >
> > # Allow Traffic to my ISP DNS server
> > ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
> > ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
> >
> > # Allow ssh from anywhere
> > #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup
> > ${ks}
> > #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks}
> > setup
> > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
> > # Everything else is denied
> > ${addcmd} 65535 deny all from any to ${ip}
> > exit 0
> > fi
>
> You seem to be missing a 'setup' keyword in the ssh rule :-/
>
> I just loaded your own ruleset (with ${ip} and ${nic} set to local
> values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as
> I can tell:
>
> ,----------------------------------------------------------------
> | giorgos@gothmog:/home/giorgos$ su -
> | Password: ********
> | root@gothmog:/root# ipfw -d show
> | 00050 168 30828 allow ip from any to any via lo0
> | 00100 0 0 deny ip from any to 127.0.0.0/8
> | 00150 0 0 deny ip from 127.0.0.0/8 to any
> | 00200 0 0 check-state
> | 00210 881 129402 allow tcp from me to any setup keep-state
> | 00211 8 965 allow udp from me to any keep-state
> | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11
> | 00212 0 0 allow icmp from me to any
> | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
> | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
> | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state
> | 65535 154 35966 deny ip from any to any
> | ## Dynamic rules (12):
> | root@gothmog:/root#
> `----------------------------------------------------------------
>
> The only changes I made are:
>
> * Use 'any' instead of xx.xxx.x.xx as the UDP address.
>
> * Change ${ip} to my own address
>
> * Change ${nic} to my own interface name
>
> I can connect to other hosts and ssh back into my workstation
> with this ruleset :-/
>
> Sorry, but I'm not sure why in your case this fails to work.
>
>
Now this is strange. I will try again tomorrow evening more carefully
and i will post any results.
Initially i sent the mail because of the failure to su as root (as
described also in that post i referenced) after i was logging in as
normal user canonically. So it was working as you said.
But can you su to root after connecting?
Sorry i will not be able to reply again tonight
Thanks
Spiros Papadopoulos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dab71e150610111731p520f5fa4yb00292c034d5ee67>