From owner-freebsd-questions@FreeBSD.ORG Thu Oct 12 00:31:46 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A110B16A407 for ; Thu, 12 Oct 2006 00:31:46 +0000 (UTC) (envelope-from spap13@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id D38AA43D67 for ; Thu, 12 Oct 2006 00:31:43 +0000 (GMT) (envelope-from spap13@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so917202nfc for ; Wed, 11 Oct 2006 17:31:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fZhmj6ow5OxSzKtD9K/ceI71FpbOdXvuhVZn8VhF3aOaKm3Tju9wZIiMvqWydPCf5d3w1KtHie6hi5/sw185kfQ9ZJwSpPjR6AAvlEqXKhHa13ZeKgKC/ycls3xXgxL1p6RaAZZqgaw0v2Z5j9pX7F9zwX7VgW3KedK0mGonmmA= Received: by 10.48.254.1 with SMTP id b1mr4097965nfi; Wed, 11 Oct 2006 17:31:42 -0700 (PDT) Received: by 10.48.12.1 with HTTP; Wed, 11 Oct 2006 17:31:42 -0700 (PDT) Message-ID: Date: Thu, 12 Oct 2006 01:31:42 +0100 From: "Spiros Papadopoulos" To: "Giorgos Keramidas" In-Reply-To: <20061011234720.GA84405@gothmog.pc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061011220815.GA83773@gothmog.pc> <20061011234720.GA84405@gothmog.pc> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 00:31:46 -0000 On 12/10/06, Giorgos Keramidas wrote: > On 2006-10-12 00:53, Spiros Papadopoulos wrote: > > I started yesterday playing with it / testing it, but since i > > want to do most of the work remotely, i stuck on this rule and > > feel like keep looking until i find the solution. I paste the > > whole script here just in case something else is wrong... Here > > is my ipfw.rules file: > > > > /** Sorry for the delay. In the meanwhile, just before sent the > > mail something else happened. Taking in account what you told > > me about the "state" keyword, i added it to the rule 300. Then > > i could not connect at all. I tried to take it off again, but > > surprisingly it still doesn't allow any connections at all (not > > even the user this time), hmmm... I am sending it as it was > > initially, which from yesterday until my first e-mail it was > > working as described previously...Now also when i run the > > script with the "allowall" option gives me problems, when it > > was working before. I can ping the machine and get replies but > > i cannot ssh to it. It seems that i am doing something wrong > > but cannot identify where */ > > > > #!/bin/sh > > > > # rules commmand prefix > > addcmd="/sbin/ipfw -q add" > > > > # and the interface > > if="xl0" > > > > # details of this computer > > ip="192.168.1.199" > > net="192.168.1.0" > > mask="255.255.255.0" > > bcast="192.168.1.255" > > > > nic="sk0" > > ks="keep-state" > > > > # Flush out the list > > /sbin/ipfw -q -f flush > > > > if [ "$1" = "allowall" ] > > then > > ${addcmd} 100 allow all from any to any via ${nic} > > exit 0 > > else > > # Only in rare cases do you want to change these rules > > ${addcmd} 50 allow all from any to any via lo0 > > ${addcmd} 100 deny all from any to 127.0.0.0/8 > > ${addcmd} 150 deny ip from 127.0.0.0/8 to any > > These look ok. > > > # At the moment don't allow it > > #${addcmd} 400 allow all from ${ip} to ${net}:${mask} > > #${addcmd} 500 allow all from ${net}:${mask} to ${ip} > > Not sure why these are needed (but they are commented out). They are meant to allow all traffic from net 192.168.1.0 and were commented out temporarily. I just sent the script as it was. > > > # Allow only specific stuff and maintain the firewall for as long > > # as needed to become tough enough > > > > # check state and keep it > > ${addcmd} 200 check-state > > > > ${addcmd} 210 allow tcp from me to any setup ${ks} > > ${addcmd} 211 allow udp from me to any ${ks} > > > > ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 > > ${addcmd} 212 allow icmp from me to any > > > > # Allow Traffic to my ISP DNS server > > ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} > > ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > > > > # Allow ssh from anywhere > > #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > > ${ks} > > #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} > > setup > > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} > > # Everything else is denied > > ${addcmd} 65535 deny all from any to ${ip} > > exit 0 > > fi > > You seem to be missing a 'setup' keyword in the ssh rule :-/ > > I just loaded your own ruleset (with ${ip} and ${nic} set to local > values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as > I can tell: > > ,---------------------------------------------------------------- > | giorgos@gothmog:/home/giorgos$ su - > | Password: ******** > | root@gothmog:/root# ipfw -d show > | 00050 168 30828 allow ip from any to any via lo0 > | 00100 0 0 deny ip from any to 127.0.0.0/8 > | 00150 0 0 deny ip from 127.0.0.0/8 to any > | 00200 0 0 check-state > | 00210 881 129402 allow tcp from me to any setup keep-state > | 00211 8 965 allow udp from me to any keep-state > | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 > | 00212 0 0 allow icmp from me to any > | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 > | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 > | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state > | 65535 154 35966 deny ip from any to any > | ## Dynamic rules (12): > | root@gothmog:/root# > `---------------------------------------------------------------- > > The only changes I made are: > > * Use 'any' instead of xx.xxx.x.xx as the UDP address. > > * Change ${ip} to my own address > > * Change ${nic} to my own interface name > > I can connect to other hosts and ssh back into my workstation > with this ruleset :-/ > > Sorry, but I'm not sure why in your case this fails to work. > > Now this is strange. I will try again tomorrow evening more carefully and i will post any results. Initially i sent the mail because of the failure to su as root (as described also in that post i referenced) after i was logging in as normal user canonically. So it was working as you said. But can you su to root after connecting? Sorry i will not be able to reply again tonight Thanks Spiros Papadopoulos