Giorgo thanks for the immediate reply,

I started yesterday playing with it / testing it, but since i want to
do most of the work remotely, i stuck on this rule and feel like keep
looking until i find the solution. I paste the whole script here just
in case something else is wrong...
Here is my ipfw.rules file:

/** Sorry for the delay. In the meanwhile, just before sent the mail
something else happened. Taking in account what you told me about the
"state" keyword, i added it to the rule 300. Then i could not connect
at all. I tried to take it off again, but surprisingly it still
doesn't allow any connections at all (not even the user this time),
hmmm... I am sending it as it was initially, which from yesterday
until my first e-mail it was working as described previously...Now
also when i run the script with the "allowall" option gives me
problems, when it was working before. I can ping the machine and get
replies but i cannot ssh to it. It seems that i am doing something
wrong but cannot identify where */


# rules commmand prefix
addcmd="/sbin/ipfw -q add"

# and the interface

# details of this computer


# Flush out the list
/sbin/ipfw -q -f flush

if [ "$1" = "allowall" ]
       ${addcmd} 100 allow all from any to any via ${nic}
       exit 0
       # Only in rare cases do you want to change these rules
       ${addcmd} 50 allow all from any to any via lo0
       ${addcmd} 100 deny all from any to
       ${addcmd} 150 deny ip from to any

       # At the moment don't allow it
       #${addcmd} 400 allow all from ${ip} to ${net}:${mask}
       #${addcmd} 500 allow all from ${net}:${mask} to ${ip}

       # Allow only specific stuff and maintain the firewall for as long
       # as needed to become tough enough

       # check state and keep it
       ${addcmd} 200 check-state

       ${addcmd} 210 allow tcp from me to any setup ${ks}
       ${addcmd} 211 allow udp from me to any ${ks}

       ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
       ${addcmd} 212 allow icmp from me to any

       # Allow Traffic to my ISP DNS server
       ${addcmd} 250 allow udp from ${ip} to 53 out via ${nic}
       ${addcmd} 251 allow udp from to ${ip} 53 in via ${nic}

       # Allow ssh from anywhere
       #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks}
       #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup
       ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
       # Everything else is denied
       ${addcmd} 65535 deny all from any to ${ip}
       exit 0


On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
I removed freebsd-ipfw from the recipient list.  Please keep `general'
questions in freebsd-questions.  The freebsd-ipfw list is, as far as I
know, used for *development* of IPFW; not questions.

On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> Hi,
> I am trying to configure a firewall using ipfw for a machine running
> FreeBSD 5.4.  Without NAT.
> I am nearly a newbie on this (since i never had time until now..) but
> still i believe i understand exactly the concepts and what needs to be
> done.  Except the manual page and chapter 26.1 in the handbook I am
> using good references such as:
> I need to connect remotely to the machine using ssh and this is where
> i get the problem:
> Initially i can connect properly using a normal user account.  When
> later i am trying to su to root it does nothing and the connection
> closes.

Can you show us the full IPFW ruleset you are using?

> I have ipfw enabled in the kernel to deny everything by default.  I
> have used both (one at a time) the following rules concerning ssh, in
> /etc/ipfw.rules and also other combinations, such as taking off setup
> and keep-state etc etc which would then make my firewall stateless as
> far as i understood, which is something i don't want anyway.
> ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> -
> ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state

The second seems wrong, unless you also have 'setup' rules elsewhere.

> In a first investigation (not thorough) i found this post:
> where from, i cannot realize what is wrong or how to fix this.

The initial ruleset of this forum thread has a few bugs, which I'm not
interested in pointing out one by one right now.  Just ignore most of it.

> I run the sshd in debug mode and below is the portion, for when i am trying
> to su to root
> /* sshd -d */
> Write failed: Permission denied
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: session_pty_cleanup: session 0 release /dev/ttyp7

Now we're getting somewhere.  Please post your *FULL* ipfw ruleset so we
can try to find out why/when/where packets can be blocked.

Spiros Papadopoulos
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to