Re: ipfw and ssh problem
Thanks Peter, will give that a try. regards Tongai Peter wrote: Hi guys, I have searched everywhere and failed to find a solution, hence I write you. I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 together with ipfw. The problem I have is this, if I am on the box I can restart my firewall with no problem, but when I log in remotely and restart the firewall for reason I am locked out and can not ssh into it. Below is the messages log: Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP Here is a few lines from my /etc/firewall_rules # vim: set syntax=pf : -f flush # Let me talk out add 100 allow all from me to any out keep-state add 101 allow icmp from any to any via any add 102 allow udp from any to any 33434-33523 # Deal with loopback #add 1000 allow all from any to any via lo0 add 1001 deny ip from any to 127.0.0.0/8 add 1002 deny ip from 127.0.0.0/8 to any # Allow established and fragmented sessions add 2000 allow tcp from any to any established add 2001 allow ip from any to any frag add 2002 check-state add 2003 allow icmp from any to any I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf please help regards Tongai ipfw -f flush - deletes all rules except the default which is usually 'deny from any to any' As soon as that gets processed, your sshd connection is killed as seen in the message up there: sshd[829]: fatal: Write failed: Permission denied With ssh dead, your shell is terminated and the rest of the script is never ran, so you are stuck with a firewall that did not get any rules added to it. Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' is what I've usually done. or my favorite is to do the firewall from 'local console' using 'watch -W v4' so even if ssh is killed, the console is up to finish up the script. [ this works great for 'buildworld' too where I want to start it, pack my laptop and and leave, reconnecting later ] With quiet mode, ssh is not sending anything back, so the connection is not terminated. ]Peter[ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw and ssh problem
On 26 March 2010 08:02, Peter wrote: > > Hi guys, > > > > I have searched everywhere and failed to find a solution, hence I write > > you. > > I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 > > UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > > amd64 > > together with ipfw. The problem I have is this, if I am on the box I can > > restart my firewall with no problem, but when I log in remotely and > > restart the firewall for reason I am locked out and can not ssh into it. > > > > Below is the messages log: > > Mar 25 14:51:04 panadine kernel: Trying to mount root from > ufs:/dev/ad4s1a > > Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert > > loadable, nat loadable, rule-based forwarding disabled, default to deny, > > logging disabled > > Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP > > Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) > > Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon > > Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 > > Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 > > Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed > > Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN > > Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission > denied > > Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP > > > > Here is a few lines from my /etc/firewall_rules > > > > # vim: set syntax=pf : > > > > -f flush > > > > # Let me talk out > > add 100 allow all from me to any out keep-state > > add 101 allow icmp from any to any via any > > add 102 allow udp from any to any 33434-33523 > > > > # Deal with loopback > > #add 1000 allow all from any to any via lo0 > > add 1001 deny ip from any to 127.0.0.0/8 > > add 1002 deny ip from 127.0.0.0/8 to any > > > > # Allow established and fragmented sessions > > add 2000 allow tcp from any to any established > > add 2001 allow ip from any to any frag > > add 2002 check-state > > add 2003 allow icmp from any to any > > > > > > I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf > > > > please help > > > > > > regards > > > > > > Tongai > > ipfw -f flush - deletes all rules except the default which is usually > 'deny from any to any' > > As soon as that gets processed, your sshd connection is killed as seen in > the message up there: > sshd[829]: fatal: Write failed: Permission denied > With ssh dead, your shell is terminated and the rest of the script is > never ran, so you are stuck with a firewall that did not get any rules > added to it. > > Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' > is what I've usually done. > > or my favorite is to do the firewall from 'local console' using 'watch -W > v4' so even if ssh is killed, the console is up to finish up the script. > [ this works great for 'buildworld' too where I want to start it, pack my > laptop and and leave, reconnecting later ] > > With quiet mode, ssh is not sending anything back, so the connection is > not terminated. > > ]Peter[ > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > the default deny can be a pain, there are two ways around it i have used in the past. 1. Compile the kernel module with the the following options optionsIPFIREWALL_DEFAULT_TO_ACCEPT 2. Install screen open a screen session and run "ipfw -f ; ipfw add 1 allow all from any to any", the screen session is important as it will guarantee the completion of the command. Its also worth looking at pf, as its configuration is a lot easier than ipfw, especially nating. The macros and table functions are also very good way to right small compact rule sets. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw and ssh problem
> Hi guys, > > I have searched everywhere and failed to find a solution, hence I write > you. > I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 > UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > amd64 > together with ipfw. The problem I have is this, if I am on the box I can > restart my firewall with no problem, but when I log in remotely and > restart the firewall for reason I am locked out and can not ssh into it. > > Below is the messages log: > Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a > Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert > loadable, nat loadable, rule-based forwarding disabled, default to deny, > logging disabled > Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP > Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) > Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon > Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 > Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 > Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed > Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN > Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied > Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP > > Here is a few lines from my /etc/firewall_rules > > # vim: set syntax=pf : > > -f flush > > # Let me talk out > add 100 allow all from me to any out keep-state > add 101 allow icmp from any to any via any > add 102 allow udp from any to any 33434-33523 > > # Deal with loopback > #add 1000 allow all from any to any via lo0 > add 1001 deny ip from any to 127.0.0.0/8 > add 1002 deny ip from 127.0.0.0/8 to any > > # Allow established and fragmented sessions > add 2000 allow tcp from any to any established > add 2001 allow ip from any to any frag > add 2002 check-state > add 2003 allow icmp from any to any > > > I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf > > please help > > > regards > > > Tongai ipfw -f flush - deletes all rules except the default which is usually 'deny from any to any' As soon as that gets processed, your sshd connection is killed as seen in the message up there: sshd[829]: fatal: Write failed: Permission denied With ssh dead, your shell is terminated and the rest of the script is never ran, so you are stuck with a firewall that did not get any rules added to it. Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' is what I've usually done. or my favorite is to do the firewall from 'local console' using 'watch -W v4' so even if ssh is killed, the console is up to finish up the script. [ this works great for 'buildworld' too where I want to start it, pack my laptop and and leave, reconnecting later ] With quiet mode, ssh is not sending anything back, so the connection is not terminated. ]Peter[ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipfw and ssh problem
Hi guys, I have searched everywhere and failed to find a solution, hence I write you. I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 together with ipfw. The problem I have is this, if I am on the box I can restart my firewall with no problem, but when I log in remotely and restart the firewall for reason I am locked out and can not ssh into it. Below is the messages log: Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP Here is a few lines from my /etc/firewall_rules # vim: set syntax=pf : -f flush # Let me talk out add 100 allow all from me to any out keep-state add 101 allow icmp from any to any via any add 102 allow udp from any to any 33434-33523 # Deal with loopback #add 1000 allow all from any to any via lo0 add 1001 deny ip from any to 127.0.0.0/8 add 1002 deny ip from 127.0.0.0/8 to any # Allow established and fragmented sessions add 2000 allow tcp from any to any established add 2001 allow ip from any to any frag add 2002 check-state add 2003 allow icmp from any to any I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf please help regards Tongai ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problems with ipfw and ssh
Thanks, On 12/10/06, Chris <[EMAIL PROTECTED]> wrote: The thing is... I generally have the kernel setup to allow by default. Then I create rules denying traffic as I either know up front, or can deduct from logging a last rule denying traffic. IE: the rule you have set to allow any, my same rule is deny any. This way I can create allow and deny rules earlier, then view my log to see what items are still being denied via /var/log/security This will allow you to concentrate on what items may be causing the problem. I know I had some issues with IPFW working for about 15 minutes, then dying. It was due to me not having any rules allowing MAC, or layer2 traffic. You'll see this if you set your logging up properly with an ending rule just before the last one. I see.. Yes, what you suggest is a better idea and i think now is even more clear why the manual suggests to start by allowing everything I had it different in my mind but still i don't think i wasted my time. I also have in mind about the layer2, ARP etc traffic and i also think of using snort's output to create better rules. However I stuck with the ssh rule since i mainly want to work remotely on this. I will go for it in the way you suggest. Thanks, Spiros p.s. Apologies for messing with the receipients..I tried not to include ipfw list after the first post, but it was in someone's reply to me..etc..sorry On Thursday 12 October 2006 20:22, Spiros Papadopoulos wrote: Thanks for your replies, On 12/10/06, *Chris* <[EMAIL PROTECTED]> wrote: >If you have your kernel set to deny all by default, you can set a rule number >65534 to allow any to any >as rule 65535 will deny any to any >Then work your way back from there. Could you please make the above last part of your though more clear for me? I already have done what you said and i can su normally. So there is definitely something that must be allowed before which i am not aware of and from the messages and behaviour i get i cannot identify. On 12/10/06, vladone <[EMAIL PROTECTED]> wrote: > > Hello Spiros, > > Thursday, October 12, 2006, 12:53:28 AM, you wrote: > > > Hi, > > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD > > 5.4. > > Without NAT. > > > I am nearly a newbie on this (since i never had time until now..) but > still > > i believe i understand exactly the > > concepts and what needs to be done. > > Except the manual page and chapter 26.1 in the handbook I am using good > > references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > > I need to connect remotely to the machine using ssh and this is where i > get > > the problem: > > > Initially i can connect properly using a normal user account. > > When later i am trying to su to root it does nothing and the connection > > closes. > > > I have ipfw enabled in the kernel to deny everything by default. > > I have used both (one at a time) the following rules concerning ssh, in > > /etc/ipfw.rules > > and also other combinations, such as taking off setup and keep-state etc > etc > > which would then make my firewall stateless as far as i understood, > which is > > something i don't want anyway. > > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > keep-state > > - > > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > > In a first investigation (not thorough) i found this post: > > http://www.freebsdforums.org/forums/showthread.php?t=21876 > > where from, i cannot realize what is wrong or how to fix this. > > > I run the sshd in debug mode and below is the portion, for when i am > trying > > to su to root > > > /* sshd -d */ > > Write failed: Permission denied > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > > And here are related logs: > > > /* line from /var/log/messages */ > > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission > denied > > > /* /var/log/auth.log */ > > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xxport > > 1545 > > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam > for > > user from xxx.xxx.xxx.xx port 1545 ssh2 > > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > > xxx.xxx.xxx.xx: Connection reset by peer > > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > > xxx.xxx.xxx.xx: Operation timed out > > > Is it trying to write to a > > socket? I cannot see what is trying to do and the permission is denied > > (of course maybe it is in front of me..but..) > > Could anyone please advice? > > > Thanks in advance > > Spiros > > ___ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > Isn
Re: Problems with ipfw and ssh
Hi again, On 12/10/06, Garrett Cooper <[EMAIL PROTECTED]> wrote: Based on all the docs I've read about using ipfw, you should put "ipfw allow all any from any via lo0" somewhere at the top of your script so all traffic can and will be sent via lo0. I think you are talking about the line below, is this right? /sbin/ipfw -q add 50 allow all from any to any via lo0 It is there.. this is the first line to be met by packets in my /etc/ifpw.rules script it is also one of the default rules coming in /etc/rc.firewall script ...where i copied it from. On 12/10/06, *Chris - WEBignite* <[EMAIL PROTECTED]> wrote: I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. Could you please let me know what FreeBSD version you are using? On 12/10/06, *Giorgos Keramidas* <[EMAIL PROTECTED]> wrote: Yes. See above. The `ipfw -d show' command shown there was after I looped using SSH from my workstation to another system and back again. Sorry i will not be able to reply again tonight No problem. Take your time. There is definitely a logical explanation why this is happening, even if that explanation is `there is a bug in ipfw and 5.4' :) I turned on the laptop and now everything is working again, as i initially described (I don't have a clue of what happened yesterday) I can ssh the machine as a normal user but cannot su to root. When trying, (from a win machine) with putty it freezes immediately after i enter the root password and the message below is produced on the freebsd box Oct 12 17:58:52 user sshd[838]: fatal: Write failed: Permission denied It is sshd that produces the above, but still i cannot identify what is it trying to do and why permission is denied. I have the option PermitRootLogins=No in my /etc/ssh/sshd_config file, but it was working properly before I enable ipfw Do you think it is a good idea to take ipfw out of the kernel and try enabling it from /etc/rc.conf? Anyway i think i should wait a little more before i proceed with this Do you think that this is a bug? Thanks in advance Spiros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 12/10/06, Chris - WEBignite <[EMAIL PROTECTED]> wrote: I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied Yes this is the same exactly message i got. I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris The only difference is that i could not su to root so i could not update any rules remotely. I could login to a normal user account properly though -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Well actually i copied the following rules from /etc/rc.firewall plus the comment (..because of the comment!) without thinking of it too much and i consider them trusty and i never thought they could cause any problem. Are you suggesting that these rules may be the reason for this? # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any Unfortunately i will not be on the machine for the next 7 or so hrs Cheers -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" -- Spiros Papadopoulos ___ freebsd-questions@freebsd.org mailing lis
RE: Problems with ipfw and ssh
I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Problems with ipfw and ssh
Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 2006-10-12 01:31, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: >On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote: >> , >> | [EMAIL PROTECTED]:/home/giorgos$ su - >> | Password: >> | [EMAIL PROTECTED]:/root# ipfw -d show >> | 00050 168 30828 allow ip from any to any via lo0 >> | 00100 0 0 deny ip from any to 127.0.0.0/8 >> | 00150 0 0 deny ip from 127.0.0.0/8 to any >> | 00200 0 0 check-state >> | 00210 881 129402 allow tcp from me to any setup keep-state >> | 00211 8965 allow udp from me to any keep-state >> | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 >> | 00212 0 0 allow icmp from me to any >> | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 >> | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 >> | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 >> keep-state >> | 65535 154 35966 deny ip from any to any >> | ## Dynamic rules (12): >> | [EMAIL PROTECTED]:/root# >> ` >> >> The only changes I made are: >> >> * Use 'any' instead of xx.xxx.x.xx as the UDP address. >> >> * Change ${ip} to my own address >> >> * Change ${nic} to my own interface name >> >> I can connect to other hosts and ssh back into my workstation >> with this ruleset :-/ >> >> Sorry, but I'm not sure why in your case this fails to work. > > Now this is strange. I will try again tomorrow evening more > carefully and i will post any results. > > Initially i sent the mail because of the failure to su as root > (as described also in that post i referenced) after i was > logging in as normal user canonically. So it was working as you > said. But can you su to root after connecting? Yes. See above. The `ipfw -d show' command shown there was after I looped using SSH from my workstation to another system and back again. > Sorry i will not be able to reply again tonight No problem. Take your time. There is definitely a logical explanation why this is happening, even if that explanation is `there is a bug in ipfw and 5.4' :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote: On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > I started yesterday playing with it / testing it, but since i > want to do most of the work remotely, i stuck on this rule and > feel like keep looking until i find the solution. I paste the > whole script here just in case something else is wrong... Here > is my ipfw.rules file: > > /** Sorry for the delay. In the meanwhile, just before sent the > mail something else happened. Taking in account what you told > me about the "state" keyword, i added it to the rule 300. Then > i could not connect at all. I tried to take it off again, but > surprisingly it still doesn't allow any connections at all (not > even the user this time), hmmm... I am sending it as it was > initially, which from yesterday until my first e-mail it was > working as described previously...Now also when i run the > script with the "allowall" option gives me problems, when it > was working before. I can ping the machine and get replies but > i cannot ssh to it. It seems that i am doing something wrong > but cannot identify where */ > > #!/bin/sh > > # rules commmand prefix > addcmd="/sbin/ipfw -q add" > > # and the interface > if="xl0" > > # details of this computer > ip="192.168.1.199" > net="192.168.1.0" > mask="255.255.255.0" > bcast="192.168.1.255" > > nic="sk0" > ks="keep-state" > > # Flush out the list > /sbin/ipfw -q -f flush > > if [ "$1" = "allowall" ] > then >${addcmd} 100 allow all from any to any via ${nic} >exit 0 > else ># Only in rare cases do you want to change these rules >${addcmd} 50 allow all from any to any via lo0 >${addcmd} 100 deny all from any to 127.0.0.0/8 >${addcmd} 150 deny ip from 127.0.0.0/8 to any These look ok. ># At the moment don't allow it >#${addcmd} 400 allow all from ${ip} to ${net}:${mask} >#${addcmd} 500 allow all from ${net}:${mask} to ${ip} Not sure why these are needed (but they are commented out). They are meant to allow all traffic from net 192.168.1.0 and were commented out temporarily. I just sent the script as it was. ># Allow only specific stuff and maintain the firewall for as long ># as needed to become tough enough > ># check state and keep it >${addcmd} 200 check-state > >${addcmd} 210 allow tcp from me to any setup ${ks} >${addcmd} 211 allow udp from me to any ${ks} > >${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 >${addcmd} 212 allow icmp from me to any > ># Allow Traffic to my ISP DNS server >${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} >${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > ># Allow ssh from anywhere >#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup >${ks} >#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} >setup >${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} ># Everything else is denied >${addcmd} 65535 deny all from any to ${ip} >exit 0 > fi You seem to be missing a 'setup' keyword in the ssh rule :-/ I just loaded your own ruleset (with ${ip} and ${nic} set to local values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as I can tell: , | [EMAIL PROTECTED]:/home/giorgos$ su - | Password: | [EMAIL PROTECTED]:/root# ipfw -d show | 00050 168 30828 allow ip from any to any via lo0 | 00100 0 0 deny ip from any to 127.0.0.0/8 | 00150 0 0 deny ip from 127.0.0.0/8 to any | 00200 0 0 check-state | 00210 881 129402 allow tcp from me to any setup keep-state | 00211 8965 allow udp from me to any keep-state | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 | 00212 0 0 allow icmp from me to any | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state | 65535 154 35966 deny ip from any to any | ## Dynamic rules (12): | [EMAIL PROTECTED]:/root# ` The only changes I made are: * Use 'any' instead of xx.xxx.x.xx as the UDP address. * Change ${ip} to my own address * Change ${nic} to my own interface name I can connect to other hosts and ssh back into my workstation with this ruleset :-/ Sorry, but I'm not sure why in your case this fails to work. Now this is strange. I will try again tomorrow evening more carefully and i will post any results. Initially i sent the mail because of the failure to su as root (as described also in that post i referenced) after i was logging in as normal user canonically. So it was working as you
Re: Problems with ipfw and ssh
On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > I started yesterday playing with it / testing it, but since i > want to do most of the work remotely, i stuck on this rule and > feel like keep looking until i find the solution. I paste the > whole script here just in case something else is wrong... Here > is my ipfw.rules file: > > /** Sorry for the delay. In the meanwhile, just before sent the > mail something else happened. Taking in account what you told > me about the "state" keyword, i added it to the rule 300. Then > i could not connect at all. I tried to take it off again, but > surprisingly it still doesn't allow any connections at all (not > even the user this time), hmmm... I am sending it as it was > initially, which from yesterday until my first e-mail it was > working as described previously...Now also when i run the > script with the "allowall" option gives me problems, when it > was working before. I can ping the machine and get replies but > i cannot ssh to it. It seems that i am doing something wrong > but cannot identify where */ > > #!/bin/sh > > # rules commmand prefix > addcmd="/sbin/ipfw -q add" > > # and the interface > if="xl0" > > # details of this computer > ip="192.168.1.199" > net="192.168.1.0" > mask="255.255.255.0" > bcast="192.168.1.255" > > nic="sk0" > ks="keep-state" > > # Flush out the list > /sbin/ipfw -q -f flush > > if [ "$1" = "allowall" ] > then >${addcmd} 100 allow all from any to any via ${nic} >exit 0 > else ># Only in rare cases do you want to change these rules >${addcmd} 50 allow all from any to any via lo0 >${addcmd} 100 deny all from any to 127.0.0.0/8 >${addcmd} 150 deny ip from 127.0.0.0/8 to any These look ok. ># At the moment don't allow it >#${addcmd} 400 allow all from ${ip} to ${net}:${mask} >#${addcmd} 500 allow all from ${net}:${mask} to ${ip} Not sure why these are needed (but they are commented out). ># Allow only specific stuff and maintain the firewall for as long ># as needed to become tough enough > ># check state and keep it >${addcmd} 200 check-state > >${addcmd} 210 allow tcp from me to any setup ${ks} >${addcmd} 211 allow udp from me to any ${ks} > >${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 >${addcmd} 212 allow icmp from me to any > ># Allow Traffic to my ISP DNS server >${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} >${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > ># Allow ssh from anywhere >#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup >${ks} >#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} >setup >${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} ># Everything else is denied >${addcmd} 65535 deny all from any to ${ip} >exit 0 > fi You seem to be missing a 'setup' keyword in the ssh rule :-/ I just loaded your own ruleset (with ${ip} and ${nic} set to local values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as I can tell: , | [EMAIL PROTECTED]:/home/giorgos$ su - | Password: | [EMAIL PROTECTED]:/root# ipfw -d show | 00050 168 30828 allow ip from any to any via lo0 | 00100 0 0 deny ip from any to 127.0.0.0/8 | 00150 0 0 deny ip from 127.0.0.0/8 to any | 00200 0 0 check-state | 00210 881 129402 allow tcp from me to any setup keep-state | 00211 8965 allow udp from me to any keep-state | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 | 00212 0 0 allow icmp from me to any | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state | 65535 154 35966 deny ip from any to any | ## Dynamic rules (12): | [EMAIL PROTECTED]:/root# ` The only changes I made are: * Use 'any' instead of xx.xxx.x.xx as the UDP address. * Change ${ip} to my own address * Change ${nic} to my own interface name I can connect to other hosts and ssh back into my workstation with this ruleset :-/ Sorry, but I'm not sure why in your case this fails to work. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
Giorgo thanks for the immediate reply, I started yesterday playing with it / testing it, but since i want to do most of the work remotely, i stuck on this rule and feel like keep looking until i find the solution. I paste the whole script here just in case something else is wrong... Here is my ipfw.rules file: /** Sorry for the delay. In the meanwhile, just before sent the mail something else happened. Taking in account what you told me about the "state" keyword, i added it to the rule 300. Then i could not connect at all. I tried to take it off again, but surprisingly it still doesn't allow any connections at all (not even the user this time), hmmm... I am sending it as it was initially, which from yesterday until my first e-mail it was working as described previously...Now also when i run the script with the "allowall" option gives me problems, when it was working before. I can ping the machine and get replies but i cannot ssh to it. It seems that i am doing something wrong but cannot identify where */ #!/bin/sh # rules commmand prefix addcmd="/sbin/ipfw -q add" # and the interface if="xl0" # details of this computer ip="192.168.1.199" net="192.168.1.0" mask="255.255.255.0" bcast="192.168.1.255" nic="sk0" ks="keep-state" # Flush out the list /sbin/ipfw -q -f flush if [ "$1" = "allowall" ] then ${addcmd} 100 allow all from any to any via ${nic} exit 0 else # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any # At the moment don't allow it #${addcmd} 400 allow all from ${ip} to ${net}:${mask} #${addcmd} 500 allow all from ${net}:${mask} to ${ip} # Allow only specific stuff and maintain the firewall for as long # as needed to become tough enough # check state and keep it ${addcmd} 200 check-state ${addcmd} 210 allow tcp from me to any setup ${ks} ${addcmd} 211 allow udp from me to any ${ks} ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 ${addcmd} 212 allow icmp from me to any # Allow Traffic to my ISP DNS server ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} # Allow ssh from anywhere #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks} #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} # Everything else is denied ${addcmd} 65535 deny all from any to ${ip} exit 0 fi Thanks Spiros On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote: I removed freebsd-ipfw from the recipient list. Please keep `general' questions in freebsd-questions. The freebsd-ipfw list is, as far as I know, used for *development* of IPFW; not questions. On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD 5.4. Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still i believe i understand exactly the concepts and what needs to be > done. Except the manual page and chapter 26.1 in the handbook I am > using good references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where > i get the problem: > > Initially i can connect properly using a normal user account. When > later i am trying to su to root it does nothing and the connection > closes. Can you show us the full IPFW ruleset you are using? > I have ipfw enabled in the kernel to deny everything by default. I > have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules and also other combinations, such as taking off setup > and keep-state etc etc which would then make my firewall stateless as > far as i understood, which is something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state The second seems wrong, unless you also have 'setup' rules elsewhere. > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. The initial ruleset of this forum thread has a few bugs, which I'm not interested in pointing out one by one right now. Just ignore most of it. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /
Re: Problems with ipfw and ssh
I removed freebsd-ipfw from the recipient list. Please keep `general' questions in freebsd-questions. The freebsd-ipfw list is, as far as I know, used for *development* of IPFW; not questions. On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD 5.4. Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still i believe i understand exactly the concepts and what needs to be > done. Except the manual page and chapter 26.1 in the handbook I am > using good references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where > i get the problem: > > Initially i can connect properly using a normal user account. When > later i am trying to su to root it does nothing and the connection > closes. Can you show us the full IPFW ruleset you are using? > I have ipfw enabled in the kernel to deny everything by default. I > have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules and also other combinations, such as taking off setup > and keep-state etc etc which would then make my firewall stateless as > far as i understood, which is something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state The second seems wrong, unless you also have 'setup' rules elsewhere. > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. The initial ruleset of this forum thread has a few bugs, which I'm not interested in pointing out one by one right now. Just ignore most of it. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we can try to find out why/when/where packets can be blocked. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Problems with ipfw and ssh
Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and ssh
Okay Anthony, Here is a bit more detail on your IPFW setup. Here is the section of rc.firewall that is relevant what we've discussed. View this in HTML mode if you can. I've highlighted changes in red and my own comments in blue. I also noticed that you use a Netgear router in your setup. You need to make sure that you pass port 22 inbound connections through your netgear router to your Freebsd system. That would be a setup on your netgear system. # set these to your network and netmask and ip net="192.0.2.0" # This should be set to your internal network's address # Most home firewalls and routers use 192.168.1.0 mask="255.255.255.0"# This should be your internal network's netmask. # Most home firewalls and routers use 255.255.255.0 ip="192.0.2.1" # This should be your local machines IP address. # If you are using DHCP to assign an address to your system, this will not work as written. Fortunately, IPFW now supports the meta-address 'me', which resolves to all your local addresses. setup_loopback # Allow any traffic to or from my own net. This allows all computers on your network to talk to your computer without any restrictions. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded. This allows any existing TCP connections to work. This way you only need one rule (setup) for each inbound service you want. ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email. This one allows outside systems to send e-mail to your system. If you aren't running a mail server you may want to remove this line. This is also the line we are going to copy to allow your ssh server to work. ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow inbound connections to my ssh server. This will allow anyone access to my system through SSH provided they can authenticate. ${fwcmd} add pass tcp from any to ${ip} 22 setup # Allow setup of outgoing TCP connections only. This is what lets you initiate sessions with other systems (like http, and ssh) ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections. If you put any TCP stuff after this it won't work because this line prevents all further TCP rules from being applied. ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${ip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${ip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. On Wednesday 05 April 2006 22:27, Anthony M. Agelastos wrote: > Thank you for your very prompt reply. I tried your suggestion and it > didn't work. I do not know why. Is the location where I place this in > the client profile important? > > I have also tried the person's actual IP address as well as the IP > address of the router (just in case it is not doing something weird) > to no avail. > > What is the easiest way of making changes to the firewall rules and > applying them so I do not have to reboot each time? I assume a > kldunload ipfw.ko and then a kldload ipfw.ko should do it, but I > don't want to risk doing something incorrect while I am trying to > debug my current problem. > > On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote: > > You neglected to include the 'add' in your first fwcmd. > > > > You may want to try something simple to start with. I haven't used > > ipfw in a > > while so hopefully my syntax is still good. Here is a simple > > starting point: > > > > # Allow person SSH access > > mip="xxx.xxx.xxx.xxx" # IP Address of person > > ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection > > to ssh > > ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond > > > > I think all you really need is this: > > > > # Allow setup of incoming ssh > > ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup > > > > Since the rest of it should be taken care of by the rest of the > > 'client' ipfw > > setup. > > > > On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote: > >> Hello everyone, > >> > >> Allow me to preface my problem by saying that I am very ignorant when > >> it comes to networking. I do apologize if this is trivial. In any > >> event, I enabled the "client" ifpw firewall located in /etc/ > >> rc.firewall. This appears to work well for my needs... except for one > >> additional item. I need someone outside of my network to have SSH > >> access to my machine
Re: ipfw and ssh
On Thursday 06 April 2006 03:27, Anthony M. Agelastos wrote: > What is the easiest way of making changes to the firewall rules and > applying them so I do not have to reboot each time? I assume a > kldunload ipfw.ko and then a kldload ipfw.ko should do it, but I > don't want to risk doing something incorrect while I am trying to > debug my current problem. /etc/rc.d/ipfw restart and watch out for any error messages ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and ssh
On Thursday 06 April 2006 02:50, Anthony M. Agelastos wrote: > Hello everyone, > > Allow me to preface my problem by saying that I am very ignorant when > it comes to networking. I do apologize if this is trivial. In any > event, I enabled the "client" ifpw firewall located in /etc/ > rc.firewall. This appears to work well for my needs... except for one > additional item. I need someone outside of my network to have SSH > access to my machine. I know his/her IP address. So, I have added > some additional items to rc.firewall for this. Here is what I added. > > # Allow person SSH access > mip="xxx.xxx.xxx.xxx" > ${fwcmd} allow tcp from any to any 22 out setup keep-state > ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- > addr 2 The client script is setup to handle tcp by static rules. If you want to mix static and dynamic tcp rules (ie limits) you will need to add a check-state line before the comment: "Allow TCP through if setup succeeded" otherwise your dynamic rules will never see any established traffic and will timeout. Also there is a static rule already to allow all outgoing tcp connections, so you don't need a stateful one for port 22. However, none of the above should prevent an ssh login. If I were you I'd start with just: ${fwcmd} add pass tcp from any to any ssh setup and work from there. You need to be methodical when troubleshooting firewalls. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and ssh
# Allow person SSH access mip="xxx.xxx.xxx.xxx" ${fwcmd} allow tcp from any to any 22 out setup keep-state I see two reasons that egress sshd traffic will not match the above rule. The destination port is incorrect and a syn/ack will not match. ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src-addr 2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and ssh
Not just that, but it doesn't appear to be logging the events, even after I added net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5 to /etc/sysctl.conf and firewall_logging="YES" into /etc/rc.conf, i see no updates to /var/log/security after the ssh attempt failed. What am I doing wrong here? Thanks again everyone for all of your help. On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote: You neglected to include the 'add' in your first fwcmd. You may want to try something simple to start with. I haven't used ipfw in a while so hopefully my syntax is still good. Here is a simple starting point: # Allow person SSH access mip="xxx.xxx.xxx.xxx" # IP Address of person ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection to ssh ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond I think all you really need is this: # Allow setup of incoming ssh ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup Since the rest of it should be taken care of by the rest of the 'client' ipfw setup. On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote: Hello everyone, Allow me to preface my problem by saying that I am very ignorant when it comes to networking. I do apologize if this is trivial. In any event, I enabled the "client" ifpw firewall located in /etc/ rc.firewall. This appears to work well for my needs... except for one additional item. I need someone outside of my network to have SSH access to my machine. I know his/her IP address. So, I have added some additional items to rc.firewall for this. Here is what I added. # Allow person SSH access mip="xxx.xxx.xxx.xxx" ${fwcmd} allow tcp from any to any 22 out setup keep-state ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- addr 2 I have tried many, many differing variations of this from items I have found online. I cannot get any of them to work. My network setup is as follows internet -> cable modem -> netgear router -> freebsd 6.1-prerelease This user can SSH into my machine when I set the firewall to "open". Any ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Ean Kingston, BSc, CISSP, ARO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and ssh
Thank you for your very prompt reply. I tried your suggestion and it didn't work. I do not know why. Is the location where I place this in the client profile important? I have also tried the person's actual IP address as well as the IP address of the router (just in case it is not doing something weird) to no avail. What is the easiest way of making changes to the firewall rules and applying them so I do not have to reboot each time? I assume a kldunload ipfw.ko and then a kldload ipfw.ko should do it, but I don't want to risk doing something incorrect while I am trying to debug my current problem. On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote: You neglected to include the 'add' in your first fwcmd. You may want to try something simple to start with. I haven't used ipfw in a while so hopefully my syntax is still good. Here is a simple starting point: # Allow person SSH access mip="xxx.xxx.xxx.xxx" # IP Address of person ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection to ssh ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond I think all you really need is this: # Allow setup of incoming ssh ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup Since the rest of it should be taken care of by the rest of the 'client' ipfw setup. On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote: Hello everyone, Allow me to preface my problem by saying that I am very ignorant when it comes to networking. I do apologize if this is trivial. In any event, I enabled the "client" ifpw firewall located in /etc/ rc.firewall. This appears to work well for my needs... except for one additional item. I need someone outside of my network to have SSH access to my machine. I know his/her IP address. So, I have added some additional items to rc.firewall for this. Here is what I added. # Allow person SSH access mip="xxx.xxx.xxx.xxx" ${fwcmd} allow tcp from any to any 22 out setup keep-state ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- addr 2 I have tried many, many differing variations of this from items I have found online. I cannot get any of them to work. My network setup is as follows internet -> cable modem -> netgear router -> freebsd 6.1-prerelease This user can SSH into my machine when I set the firewall to "open". Any ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Ean Kingston, BSc, CISSP, ARO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw and ssh
You neglected to include the 'add' in your first fwcmd. You may want to try something simple to start with. I haven't used ipfw in a while so hopefully my syntax is still good. Here is a simple starting point: # Allow person SSH access mip="xxx.xxx.xxx.xxx" # IP Address of person ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection to ssh ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond I think all you really need is this: # Allow setup of incoming ssh ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup Since the rest of it should be taken care of by the rest of the 'client' ipfw setup. On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote: > Hello everyone, > > Allow me to preface my problem by saying that I am very ignorant when > it comes to networking. I do apologize if this is trivial. In any > event, I enabled the "client" ifpw firewall located in /etc/ > rc.firewall. This appears to work well for my needs... except for one > additional item. I need someone outside of my network to have SSH > access to my machine. I know his/her IP address. So, I have added > some additional items to rc.firewall for this. Here is what I added. > > # Allow person SSH access > mip="xxx.xxx.xxx.xxx" > ${fwcmd} allow tcp from any to any 22 out setup keep-state > ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- > addr 2 > > I have tried many, many differing variations of this from items I > have found online. I cannot get any of them to work. My network setup > is as follows > > internet -> cable modem -> netgear router -> freebsd 6.1-prerelease > > This user can SSH into my machine when I set the firewall to "open". > Any ideas? > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" -- Ean Kingston, BSc, CISSP, ARO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw and ssh
Hello everyone, Allow me to preface my problem by saying that I am very ignorant when it comes to networking. I do apologize if this is trivial. In any event, I enabled the "client" ifpw firewall located in /etc/ rc.firewall. This appears to work well for my needs... except for one additional item. I need someone outside of my network to have SSH access to my machine. I know his/her IP address. So, I have added some additional items to rc.firewall for this. Here is what I added. # Allow person SSH access mip="xxx.xxx.xxx.xxx" ${fwcmd} allow tcp from any to any 22 out setup keep-state ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- addr 2 I have tried many, many differing variations of this from items I have found online. I cannot get any of them to work. My network setup is as follows internet -> cable modem -> netgear router -> freebsd 6.1-prerelease This user can SSH into my machine when I set the firewall to "open". Any ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"