ipfw rules for letting ssh requests in
I can't seem to get the ipfw rules right for letting ssh clients access a ssh server. I can use ssh on the server to connect to the client; but if I try to connect from the client to the server, the operation times out. I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all of the rules as expected. It also shows packets having been allowed at rule 300 after an attempt to connect has been made. I have copied the top portion of /etc/ipfw.rules: #!/bin/sh # Andrew L. Gould's firewall rules. fwcmd=/sbin/ipfw -q ${fwcmd} -f flush # Basic rules that should not be changed ${fwcmd} add 00100 pass all from any to any via lo0 ${fwcmd} add 00110 deny all from any to 127.0.0.0/8 ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any # Allow specified service requests in # ssh ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow udp from any to me 22 ## Does anyone have any idea why the operation is timing out or what I have done wrong? Thanks, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
On Monday 19 January 2004 00:47, Andrew L. Gould wrote: I can't seem to get the ipfw rules right for letting ssh clients access a ssh server. I can use ssh on the server to connect to the client; but if I try to connect from the client to the server, the operation times out. I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all of the rules as expected. It also shows packets having been allowed at rule 300 after an attempt to connect has been made. I have copied the top portion of /etc/ipfw.rules: #!/bin/sh # Andrew L. Gould's firewall rules. fwcmd=/sbin/ipfw -q ${fwcmd} -f flush # Basic rules that should not be changed ${fwcmd} add 00100 pass all from any to any via lo0 ${fwcmd} add 00110 deny all from any to 127.0.0.0/8 ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any # Allow specified service requests in # ssh ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow udp from any to me 22 Does anyone have any idea why the operation is timing out or what I have done wrong? You forgot the packets in the other direction... This should do the trick : ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow tcp from me 22 to any grtz, Daan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote: On Monday 19 January 2004 00:47, Andrew L. Gould wrote: I can't seem to get the ipfw rules right for letting ssh clients access a ssh server. I can use ssh on the server to connect to the client; but if I try to connect from the client to the server, the operation times out. I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all of the rules as expected. It also shows packets having been allowed at rule 300 after an attempt to connect has been made. I have copied the top portion of /etc/ipfw.rules: #!/bin/sh # Andrew L. Gould's firewall rules. fwcmd=/sbin/ipfw -q ${fwcmd} -f flush # Basic rules that should not be changed ${fwcmd} add 00100 pass all from any to any via lo0 ${fwcmd} add 00110 deny all from any to 127.0.0.0/8 ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any # Allow specified service requests in # ssh ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow udp from any to me 22 Does anyone have any idea why the operation is timing out or what I have done wrong? You forgot the packets in the other direction... This should do the trick : ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow tcp from me 22 to any grtz, Daan I have the firewall configured to let anything out. As noted above, I was able to connect from the server to the client using ssh. Here's the entirety of /etc/ipfw.rules: #!/bin/sh # Andrew L. Gould's firewall rules. fwcmd=/sbin/ipfw -q ${fwcmd} -f flush ${fwcmd} add 00100 pass all from any to any via lo0 ${fwcmd} add 00110 deny all from any to 127.0.0.0/8 ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any # Allow specified service requests in # ssh ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow udp from any to me 22 # irc ${fwcmd} add 00302 allow tcp from any to me 194 ${fwcmd} add 00303 allow udp from any to me 194 # auth (ident) ${fwcmd} add 00304 allow tcp from any to me 113 ${fwcmd} add 00305 allow udp from any to me 113 # ircd ${fwcmd} add 00310 allow tcp from any to me 6667 # Allow TCP connections that were initiated locally ${fwcmd} add 00400 check-state ${fwcmd} add 00402 allow tcp from any to any out setup keep-state # Allow DNS and DHCP activities ${fwcmd} add 00500 allow udp from any 53 to any in recv dc0 ${fwcmd} add 00501 allow udp from any 67 to any 68 in recv dc0 ${fwcmd} add 00502 allow udp from any to any out # Allow ICMP activities ${fwcmd} add 00600 allow icmp from any to any icmptype 0 ${fwcmd} add 00601 allow icmp from any to any icmptype 3 ${fwcmd} add 00602 allow icmp from any to any icmptype 4 ${fwcmd} add 00603 allow icmp from any to any icmptype 8 ${fwcmd} add 00604 allow icmp from any to any icmptype 11 in ${fwcmd} add 00901 deny tcp from any to any in established ${fwcmd} add 65535 deny all from any to any # Thanks, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
Does portmap have to be enabled to connect to sshd? Thanks, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
Andrew L. Gould wrote: Does portmap have to be enabled to connect to sshd? No ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw rules for letting ssh requests in
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote: You forgot the packets in the other direction... This should do the trick : ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow tcp from me 22 to any grtz, Daan It worked. Thanks, Andrew Gould ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]