Giorgo thanks for the immediate reply,
I started yesterday playing with it / testing it, but since i want to
do most of the work remotely, i stuck on this rule and feel like keep
looking until i find the solution. I paste the whole script here just
in case something else is wrong...
Here is my ipfw.rules file:
/** Sorry for the delay. In the meanwhile, just before sent the mail
something else happened. Taking in account what you told me about the
"state" keyword, i added it to the rule 300. Then i could not connect
at all. I tried to take it off again, but surprisingly it still
doesn't allow any connections at all (not even the user this time),
hmmm... I am sending it as it was initially, which from yesterday
until my first e-mail it was working as described previously...Now
also when i run the script with the "allowall" option gives me
problems, when it was working before. I can ping the machine and get
replies but i cannot ssh to it. It seems that i am doing something
wrong but cannot identify where */
#!/bin/sh
# rules commmand prefix
addcmd="/sbin/ipfw -q add"
# and the interface
if="xl0"
# details of this computer
ip="192.168.1.199"
net="192.168.1.0"
mask="255.255.255.0"
bcast="192.168.1.255"
nic="sk0"
ks="keep-state"
# Flush out the list
/sbin/ipfw -q -f flush
if [ "$1" = "allowall" ]
then
${addcmd} 100 allow all from any to any via ${nic}
exit 0
else
# Only in rare cases do you want to change these rules
${addcmd} 50 allow all from any to any via lo0
${addcmd} 100 deny all from any to 127.0.0.0/8
${addcmd} 150 deny ip from 127.0.0.0/8 to any
# At the moment don't allow it
#${addcmd} 400 allow all from ${ip} to ${net}:${mask}
#${addcmd} 500 allow all from ${net}:${mask} to ${ip}
# Allow only specific stuff and maintain the firewall for as long
# as needed to become tough enough
# check state and keep it
${addcmd} 200 check-state
${addcmd} 210 allow tcp from me to any setup ${ks}
${addcmd} 211 allow udp from me to any ${ks}
${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
${addcmd} 212 allow icmp from me to any
# Allow Traffic to my ISP DNS server
${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
# Allow ssh from anywhere
#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks}
#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup
${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
# Everything else is denied
${addcmd} 65535 deny all from any to ${ip}
exit 0
fi
Thanks
Spiros
On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
I removed freebsd-ipfw from the recipient list. Please keep `general'
questions in freebsd-questions. The freebsd-ipfw list is, as far as I
know, used for *development* of IPFW; not questions.
On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am trying to configure a firewall using ipfw for a machine running
> FreeBSD 5.4. Without NAT.
>
> I am nearly a newbie on this (since i never had time until now..) but
> still i believe i understand exactly the concepts and what needs to be
> done. Except the manual page and chapter 26.1 in the handbook I am
> using good references such as:
>
> http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
>
> I need to connect remotely to the machine using ssh and this is where
> i get the problem:
>
> Initially i can connect properly using a normal user account. When
> later i am trying to su to root it does nothing and the connection
> closes.
Can you show us the full IPFW ruleset you are using?
> I have ipfw enabled in the kernel to deny everything by default. I
> have used both (one at a time) the following rules concerning ssh, in
> /etc/ipfw.rules and also other combinations, such as taking off setup
> and keep-state etc etc which would then make my firewall stateless as
> far as i understood, which is something i don't want anyway.
>
> ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> -
> ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
The second seems wrong, unless you also have 'setup' rules elsewhere.
> In a first investigation (not thorough) i found this post:
> http://www.freebsdforums.org/forums/showthread.php?t=21876
> where from, i cannot realize what is wrong or how to fix this.
The initial ruleset of this forum thread has a few bugs, which I'm not
interested in pointing out one by one right now. Just ignore most of it.
> I run the sshd in debug mode and below is the portion, for when i am trying
> to su to root
>
> /* sshd -d */
> Write failed: Permission denied
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: session_pty_cleanup: session 0 release /dev/ttyp7
Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we
can try to find out why/when/where packets can be blocked.
--
Spiros Papadopoulos
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
