Re: Problems with ipfw and ssh
Thanks,
On 12/10/06, Chris <[EMAIL PROTECTED]> wrote:
The thing is... I generally have the kernel setup to allow by default.
Then I
create rules denying traffic as I either know up front, or can deduct from
logging a last rule denying traffic.
IE: the rule you have set to allow any, my same rule is deny any. This way I
can create allow and deny rules earlier, then view my log to see what
items
are still being denied via /var/log/security
This will allow you to concentrate on what items may be causing the
problem.
I know I had some issues with IPFW working for about 15 minutes, then
dying.
It was due to me not having any rules allowing MAC, or layer2 traffic.
You'll
see this if you set your logging up properly with an ending rule just
before
the last one.
I see.. Yes, what you suggest is a better idea and i think now is even more
clear why the manual suggests to start by allowing everything
I had it different in my mind but still i don't think i wasted my time.
I also have in mind about the layer2, ARP etc traffic and i also think of
using snort's output to create better rules.
However I stuck with the ssh rule since i mainly want to work remotely on
this.
I will go for it in the way you suggest.
Thanks,
Spiros
p.s. Apologies for messing with the receipients..I tried not to include ipfw
list after the first post, but
it was in someone's reply to me..etc..sorry
On Thursday 12 October 2006 20:22, Spiros Papadopoulos wrote:
Thanks for your replies,
On 12/10/06, *Chris* <[EMAIL PROTECTED]> wrote:
>If you have your kernel set to deny all by default, you can set a rule
number
>65534 to allow any to any
>as rule 65535 will deny any to any
>Then work your way back from there.
Could you please make the above last part of your though more clear for
me?
I already have done what you said and i can su normally.
So there is definitely something that must be allowed before which i am
not
aware of
and from the messages and behaviour i get i cannot identify.
On 12/10/06, vladone <[EMAIL PROTECTED]> wrote:
>
> Hello Spiros,
>
> Thursday, October 12, 2006, 12:53:28 AM, you wrote:
>
> > Hi,
>
> > I am trying to configure a firewall using ipfw for a machine running
> FreeBSD
> > 5.4.
> > Without NAT.
>
> > I am nearly a newbie on this (since i never had time until now..) but
> still
> > i believe i understand exactly the
> > concepts and what needs to be done.
> > Except the manual page and chapter 26.1 in the handbook I am using
good
> > references such as:
> > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
>
> > I need to connect remotely to the machine using ssh and this is where
i
> get
> > the problem:
>
> > Initially i can connect properly using a normal user account.
> > When later i am trying to su to root it does nothing and the
connection
> > closes.
>
> > I have ipfw enabled in the kernel to deny everything by default.
> > I have used both (one at a time) the following rules concerning ssh,
in
> > /etc/ipfw.rules
> > and also other combinations, such as taking off setup and keep-state
etc
> etc
> > which would then make my firewall stateless as far as i understood,
> which is
> > something i don't want anyway.
>
> > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup
> keep-state
> > -
> > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
>
> > In a first investigation (not thorough) i found this post:
> > http://www.freebsdforums.org/forums/showthread.php?t=21876
> > where from, i cannot realize what is wrong or how to fix this.
>
> > I run the sshd in debug mode and below is the portion, for when i am
> trying
> > to su to root
>
> > /* sshd -d */
> > Write failed: Permission denied
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug1: session_pty_cleanup: session 0 release /dev/ttyp7
>
> > And here are related logs:
>
> > /* line from /var/log/messages */
> > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission
> denied
>
> > /* /var/log/auth.log */
> > Sep 26 11:17:34 username sshd[50073]: Connection from
xxx.xxx.xxx.xxport
> > 1545
> > Sep 26 11:17:46 username sshd[50073]: Accepted
keyboard-interactive/pam
> for
> > user from xxx.xxx.xxx.xx port 1545 ssh2
> > Sep 26 10:17:49 username su: user to root on /dev/ttyp4
> > Sep 26 11:17:51 username sshd[50068]: Read error from remote host
> > xxx.xxx.xxx.xx: Connection reset by peer
> > Sep 26 13:29:40 username sshd[50076]: Read error from remote host
> > xxx.xxx.xxx.xx: Operation timed out
>
> > Is it trying to write to a
> > socket? I cannot see what is trying to do and the permission is denied
> > (of course maybe it is in front of me..but..)
> > Could anyone please advice?
>
> > Thanks in advance
> > Spiros
> > ___
> > freebsd-ipfw@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to
> > "[EMAIL PROTECTED]"
> Isn
Re: Problems with ipfw and ssh
Hi again, On 12/10/06, Garrett Cooper <[EMAIL PROTECTED]> wrote: Based on all the docs I've read about using ipfw, you should put "ipfw allow all any from any via lo0" somewhere at the top of your script so all traffic can and will be sent via lo0. I think you are talking about the line below, is this right? /sbin/ipfw -q add 50 allow all from any to any via lo0 It is there.. this is the first line to be met by packets in my /etc/ifpw.rules script it is also one of the default rules coming in /etc/rc.firewall script ...where i copied it from. On 12/10/06, *Chris - WEBignite* <[EMAIL PROTECTED]> wrote: I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. Could you please let me know what FreeBSD version you are using? On 12/10/06, *Giorgos Keramidas* <[EMAIL PROTECTED]> wrote: Yes. See above. The `ipfw -d show' command shown there was after I looped using SSH from my workstation to another system and back again. Sorry i will not be able to reply again tonight No problem. Take your time. There is definitely a logical explanation why this is happening, even if that explanation is `there is a bug in ipfw and 5.4' :) I turned on the laptop and now everything is working again, as i initially described (I don't have a clue of what happened yesterday) I can ssh the machine as a normal user but cannot su to root. When trying, (from a win machine) with putty it freezes immediately after i enter the root password and the message below is produced on the freebsd box Oct 12 17:58:52 user sshd[838]: fatal: Write failed: Permission denied It is sshd that produces the above, but still i cannot identify what is it trying to do and why permission is denied. I have the option PermitRootLogins=No in my /etc/ssh/sshd_config file, but it was working properly before I enable ipfw Do you think it is a good idea to take ipfw out of the kernel and try enabling it from /etc/rc.conf? Anyway i think i should wait a little more before i proceed with this Do you think that this is a bug? Thanks in advance Spiros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 12/10/06, Chris - WEBignite <[EMAIL PROTECTED]> wrote:
I've actually just started seeing this same error. I do have a rule set
for
local 127.0.0.1 and an allow for layer2 traffic.
Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission
denied
Yes this is the same exactly message i got.
I get this error when updating my firewall rules via ssh. Any current ssh
connections are dropped, but I'm able to reinitiate a new connection
without
trouble.
-Chris
The only difference is that i could not su to root so i could not update any
rules remotely.
I could login to a normal user account properly though
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
]
On Behalf Of Mark Jose
Sent: Wednesday, October 11, 2006 8:41 PM
To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org;
freebsd-ipfw@freebsd.org
Subject: RE: Problems with ipfw and ssh
Hi,
Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined
to allow all traffic?
Well actually i copied the following rules from /etc/rc.firewall plus the
comment (..because of the comment!) without thinking of it too much and i
consider them trusty and i never thought they could cause any problem.
Are you suggesting that these rules may be the reason for this?
# Only in rare cases do you want to change these rules
${addcmd} 50 allow all from any to any via lo0
${addcmd} 100 deny all from any to 127.0.0.0/8
${addcmd} 150 deny ip from 127.0.0.0/8 to any
Unfortunately i will not be on the machine for the next 7 or so hrs
Cheers
-Original Message-
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
On Behalf Of Spiros Papadopoulos
Sent: Thursday, 12 October 2006 7:53 AM
To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org
Subject: Problems with ipfw and ssh
Hi,
I am trying to configure a firewall using ipfw for a machine running
FreeBSD
5.4.
Without NAT.
I am nearly a newbie on this (since i never had time until now..) but
still
i believe i understand exactly the
concepts and what needs to be done.
Except the manual page and chapter 26.1 in the handbook I am using good
references such as:
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
I need to connect remotely to the machine using ssh and this is where i
get
the problem:
Initially i can connect properly using a normal user account.
When later i am trying to su to root it does nothing and the connection
closes.
I have ipfw enabled in the kernel to deny everything by default.
I have used both (one at a time) the following rules concerning ssh, in
/etc/ipfw.rules
and also other combinations, such as taking off setup and keep-state etc
etc
which would then make my firewall stateless as far as i understood, which
is
something i don't want anyway.
${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
-
${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
In a first investigation (not thorough) i found this post:
http://www.freebsdforums.org/forums/showthread.php?t=21876
where from, i cannot realize what is wrong or how to fix this.
I run the sshd in debug mode and below is the portion, for when i am
trying
to su to root
/* sshd -d */
Write failed: Permission denied
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: session_pty_cleanup: session 0 release /dev/ttyp7
And here are related logs:
/* line from /var/log/messages */
Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission
denied
/* /var/log/auth.log */
Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port
1545
Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam
for
user from xxx.xxx.xxx.xx port 1545 ssh2
Sep 26 10:17:49 username su: user to root on /dev/ttyp4
Sep 26 11:17:51 username sshd[50068]: Read error from remote host
xxx.xxx.xxx.xx: Connection reset by peer
Sep 26 13:29:40 username sshd[50076]: Read error from remote host
xxx.xxx.xxx.xx: Operation timed out
Is it trying to write to a
socket? I cannot see what is trying to do and the permission is denied
(of course maybe it is in front of me..but..)
Could anyone please advice?
Thanks in advance
Spiros
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to " [EMAIL PROTECTED]"
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
[EMAIL PROTECTED]"
--
Spiros Papadopoulos
___
freebsd-questions@freebsd.org mailing lis
RE: Problems with ipfw and ssh
I've actually just started seeing this same error. I do have a rule set for
local 127.0.0.1 and an allow for layer2 traffic.
Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied
I get this error when updating my firewall rules via ssh. Any current ssh
connections are dropped, but I'm able to reinitiate a new connection without
trouble.
-Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mark Jose
Sent: Wednesday, October 11, 2006 8:41 PM
To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org;
freebsd-ipfw@freebsd.org
Subject: RE: Problems with ipfw and ssh
Hi,
Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined
to allow all traffic?
Cheers
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Spiros Papadopoulos
Sent: Thursday, 12 October 2006 7:53 AM
To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org
Subject: Problems with ipfw and ssh
Hi,
I am trying to configure a firewall using ipfw for a machine running FreeBSD
5.4.
Without NAT.
I am nearly a newbie on this (since i never had time until now..) but still
i believe i understand exactly the
concepts and what needs to be done.
Except the manual page and chapter 26.1 in the handbook I am using good
references such as:
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
I need to connect remotely to the machine using ssh and this is where i get
the problem:
Initially i can connect properly using a normal user account.
When later i am trying to su to root it does nothing and the connection
closes.
I have ipfw enabled in the kernel to deny everything by default.
I have used both (one at a time) the following rules concerning ssh, in
/etc/ipfw.rules
and also other combinations, such as taking off setup and keep-state etc etc
which would then make my firewall stateless as far as i understood, which is
something i don't want anyway.
${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
-
${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
In a first investigation (not thorough) i found this post:
http://www.freebsdforums.org/forums/showthread.php?t=21876
where from, i cannot realize what is wrong or how to fix this.
I run the sshd in debug mode and below is the portion, for when i am trying
to su to root
/* sshd -d */
Write failed: Permission denied
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: session_pty_cleanup: session 0 release /dev/ttyp7
And here are related logs:
/* line from /var/log/messages */
Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied
/* /var/log/auth.log */
Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port
1545
Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for
user from xxx.xxx.xxx.xx port 1545 ssh2
Sep 26 10:17:49 username su: user to root on /dev/ttyp4
Sep 26 11:17:51 username sshd[50068]: Read error from remote host
xxx.xxx.xxx.xx: Connection reset by peer
Sep 26 13:29:40 username sshd[50076]: Read error from remote host
xxx.xxx.xxx.xx: Operation timed out
Is it trying to write to a
socket? I cannot see what is trying to do and the permission is denied
(of course maybe it is in front of me..but..)
Could anyone please advice?
Thanks in advance
Spiros
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Problems with ipfw and ssh
Hi,
Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined
to allow all traffic?
Cheers
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Spiros Papadopoulos
Sent: Thursday, 12 October 2006 7:53 AM
To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org
Subject: Problems with ipfw and ssh
Hi,
I am trying to configure a firewall using ipfw for a machine running FreeBSD
5.4.
Without NAT.
I am nearly a newbie on this (since i never had time until now..) but still
i believe i understand exactly the
concepts and what needs to be done.
Except the manual page and chapter 26.1 in the handbook I am using good
references such as:
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
I need to connect remotely to the machine using ssh and this is where i get
the problem:
Initially i can connect properly using a normal user account.
When later i am trying to su to root it does nothing and the connection
closes.
I have ipfw enabled in the kernel to deny everything by default.
I have used both (one at a time) the following rules concerning ssh, in
/etc/ipfw.rules
and also other combinations, such as taking off setup and keep-state etc etc
which would then make my firewall stateless as far as i understood, which is
something i don't want anyway.
${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
-
${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
In a first investigation (not thorough) i found this post:
http://www.freebsdforums.org/forums/showthread.php?t=21876
where from, i cannot realize what is wrong or how to fix this.
I run the sshd in debug mode and below is the portion, for when i am trying
to su to root
/* sshd -d */
Write failed: Permission denied
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: session_pty_cleanup: session 0 release /dev/ttyp7
And here are related logs:
/* line from /var/log/messages */
Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied
/* /var/log/auth.log */
Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port
1545
Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for
user from xxx.xxx.xxx.xx port 1545 ssh2
Sep 26 10:17:49 username su: user to root on /dev/ttyp4
Sep 26 11:17:51 username sshd[50068]: Read error from remote host
xxx.xxx.xxx.xx: Connection reset by peer
Sep 26 13:29:40 username sshd[50076]: Read error from remote host
xxx.xxx.xxx.xx: Operation timed out
Is it trying to write to a
socket? I cannot see what is trying to do and the permission is denied
(of course maybe it is in front of me..but..)
Could anyone please advice?
Thanks in advance
Spiros
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 2006-10-12 01:31, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
>On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
>> ,
>> | [EMAIL PROTECTED]:/home/giorgos$ su -
>> | Password:
>> | [EMAIL PROTECTED]:/root# ipfw -d show
>> | 00050 168 30828 allow ip from any to any via lo0
>> | 00100 0 0 deny ip from any to 127.0.0.0/8
>> | 00150 0 0 deny ip from 127.0.0.0/8 to any
>> | 00200 0 0 check-state
>> | 00210 881 129402 allow tcp from me to any setup keep-state
>> | 00211 8965 allow udp from me to any keep-state
>> | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11
>> | 00212 0 0 allow icmp from me to any
>> | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
>> | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
>> | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22
>> keep-state
>> | 65535 154 35966 deny ip from any to any
>> | ## Dynamic rules (12):
>> | [EMAIL PROTECTED]:/root#
>> `
>>
>> The only changes I made are:
>>
>> * Use 'any' instead of xx.xxx.x.xx as the UDP address.
>>
>> * Change ${ip} to my own address
>>
>> * Change ${nic} to my own interface name
>>
>> I can connect to other hosts and ssh back into my workstation
>> with this ruleset :-/
>>
>> Sorry, but I'm not sure why in your case this fails to work.
>
> Now this is strange. I will try again tomorrow evening more
> carefully and i will post any results.
>
> Initially i sent the mail because of the failure to su as root
> (as described also in that post i referenced) after i was
> logging in as normal user canonically. So it was working as you
> said. But can you su to root after connecting?
Yes. See above. The `ipfw -d show' command shown there was
after I looped using SSH from my workstation to another system
and back again.
> Sorry i will not be able to reply again tonight
No problem. Take your time. There is definitely a logical
explanation why this is happening, even if that explanation is
`there is a bug in ipfw and 5.4' :)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> I started yesterday playing with it / testing it, but since i
> want to do most of the work remotely, i stuck on this rule and
> feel like keep looking until i find the solution. I paste the
> whole script here just in case something else is wrong... Here
> is my ipfw.rules file:
>
> /** Sorry for the delay. In the meanwhile, just before sent the
> mail something else happened. Taking in account what you told
> me about the "state" keyword, i added it to the rule 300. Then
> i could not connect at all. I tried to take it off again, but
> surprisingly it still doesn't allow any connections at all (not
> even the user this time), hmmm... I am sending it as it was
> initially, which from yesterday until my first e-mail it was
> working as described previously...Now also when i run the
> script with the "allowall" option gives me problems, when it
> was working before. I can ping the machine and get replies but
> i cannot ssh to it. It seems that i am doing something wrong
> but cannot identify where */
>
> #!/bin/sh
>
> # rules commmand prefix
> addcmd="/sbin/ipfw -q add"
>
> # and the interface
> if="xl0"
>
> # details of this computer
> ip="192.168.1.199"
> net="192.168.1.0"
> mask="255.255.255.0"
> bcast="192.168.1.255"
>
> nic="sk0"
> ks="keep-state"
>
> # Flush out the list
> /sbin/ipfw -q -f flush
>
> if [ "$1" = "allowall" ]
> then
>${addcmd} 100 allow all from any to any via ${nic}
>exit 0
> else
># Only in rare cases do you want to change these rules
>${addcmd} 50 allow all from any to any via lo0
>${addcmd} 100 deny all from any to 127.0.0.0/8
>${addcmd} 150 deny ip from 127.0.0.0/8 to any
These look ok.
># At the moment don't allow it
>#${addcmd} 400 allow all from ${ip} to ${net}:${mask}
>#${addcmd} 500 allow all from ${net}:${mask} to ${ip}
Not sure why these are needed (but they are commented out).
They are meant to allow all traffic from net 192.168.1.0 and were
commented out temporarily. I just sent the script as it was.
># Allow only specific stuff and maintain the firewall for as long
># as needed to become tough enough
>
># check state and keep it
>${addcmd} 200 check-state
>
>${addcmd} 210 allow tcp from me to any setup ${ks}
>${addcmd} 211 allow udp from me to any ${ks}
>
>${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
>${addcmd} 212 allow icmp from me to any
>
># Allow Traffic to my ISP DNS server
>${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
>${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
>
># Allow ssh from anywhere
>#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup
>${ks}
>#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks}
>setup
>${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
># Everything else is denied
>${addcmd} 65535 deny all from any to ${ip}
>exit 0
> fi
You seem to be missing a 'setup' keyword in the ssh rule :-/
I just loaded your own ruleset (with ${ip} and ${nic} set to local
values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as
I can tell:
,
| [EMAIL PROTECTED]:/home/giorgos$ su -
| Password:
| [EMAIL PROTECTED]:/root# ipfw -d show
| 00050 168 30828 allow ip from any to any via lo0
| 00100 0 0 deny ip from any to 127.0.0.0/8
| 00150 0 0 deny ip from 127.0.0.0/8 to any
| 00200 0 0 check-state
| 00210 881 129402 allow tcp from me to any setup keep-state
| 00211 8965 allow udp from me to any keep-state
| 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11
| 00212 0 0 allow icmp from me to any
| 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
| 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
| 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22
keep-state
| 65535 154 35966 deny ip from any to any
| ## Dynamic rules (12):
| [EMAIL PROTECTED]:/root#
`
The only changes I made are:
* Use 'any' instead of xx.xxx.x.xx as the UDP address.
* Change ${ip} to my own address
* Change ${nic} to my own interface name
I can connect to other hosts and ssh back into my workstation
with this ruleset :-/
Sorry, but I'm not sure why in your case this fails to work.
Now this is strange. I will try again tomorrow evening more carefully
and i will post any results.
Initially i sent the mail because of the failure to su as root (as
described also in that post i referenced) after i was logging in as
normal user canonically. So it was working as you
Re: Problems with ipfw and ssh
On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> I started yesterday playing with it / testing it, but since i
> want to do most of the work remotely, i stuck on this rule and
> feel like keep looking until i find the solution. I paste the
> whole script here just in case something else is wrong... Here
> is my ipfw.rules file:
>
> /** Sorry for the delay. In the meanwhile, just before sent the
> mail something else happened. Taking in account what you told
> me about the "state" keyword, i added it to the rule 300. Then
> i could not connect at all. I tried to take it off again, but
> surprisingly it still doesn't allow any connections at all (not
> even the user this time), hmmm... I am sending it as it was
> initially, which from yesterday until my first e-mail it was
> working as described previously...Now also when i run the
> script with the "allowall" option gives me problems, when it
> was working before. I can ping the machine and get replies but
> i cannot ssh to it. It seems that i am doing something wrong
> but cannot identify where */
>
> #!/bin/sh
>
> # rules commmand prefix
> addcmd="/sbin/ipfw -q add"
>
> # and the interface
> if="xl0"
>
> # details of this computer
> ip="192.168.1.199"
> net="192.168.1.0"
> mask="255.255.255.0"
> bcast="192.168.1.255"
>
> nic="sk0"
> ks="keep-state"
>
> # Flush out the list
> /sbin/ipfw -q -f flush
>
> if [ "$1" = "allowall" ]
> then
>${addcmd} 100 allow all from any to any via ${nic}
>exit 0
> else
># Only in rare cases do you want to change these rules
>${addcmd} 50 allow all from any to any via lo0
>${addcmd} 100 deny all from any to 127.0.0.0/8
>${addcmd} 150 deny ip from 127.0.0.0/8 to any
These look ok.
># At the moment don't allow it
>#${addcmd} 400 allow all from ${ip} to ${net}:${mask}
>#${addcmd} 500 allow all from ${net}:${mask} to ${ip}
Not sure why these are needed (but they are commented out).
># Allow only specific stuff and maintain the firewall for as long
># as needed to become tough enough
>
># check state and keep it
>${addcmd} 200 check-state
>
>${addcmd} 210 allow tcp from me to any setup ${ks}
>${addcmd} 211 allow udp from me to any ${ks}
>
>${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
>${addcmd} 212 allow icmp from me to any
>
># Allow Traffic to my ISP DNS server
>${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
>${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
>
># Allow ssh from anywhere
>#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup
>${ks}
>#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks}
>setup
>${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
># Everything else is denied
>${addcmd} 65535 deny all from any to ${ip}
>exit 0
> fi
You seem to be missing a 'setup' keyword in the ssh rule :-/
I just loaded your own ruleset (with ${ip} and ${nic} set to local
values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as
I can tell:
,
| [EMAIL PROTECTED]:/home/giorgos$ su -
| Password:
| [EMAIL PROTECTED]:/root# ipfw -d show
| 00050 168 30828 allow ip from any to any via lo0
| 00100 0 0 deny ip from any to 127.0.0.0/8
| 00150 0 0 deny ip from 127.0.0.0/8 to any
| 00200 0 0 check-state
| 00210 881 129402 allow tcp from me to any setup keep-state
| 00211 8965 allow udp from me to any keep-state
| 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11
| 00212 0 0 allow icmp from me to any
| 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
| 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
| 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22
keep-state
| 65535 154 35966 deny ip from any to any
| ## Dynamic rules (12):
| [EMAIL PROTECTED]:/root#
`
The only changes I made are:
* Use 'any' instead of xx.xxx.x.xx as the UDP address.
* Change ${ip} to my own address
* Change ${nic} to my own interface name
I can connect to other hosts and ssh back into my workstation
with this ruleset :-/
Sorry, but I'm not sure why in your case this fails to work.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
Giorgo thanks for the immediate reply,
I started yesterday playing with it / testing it, but since i want to
do most of the work remotely, i stuck on this rule and feel like keep
looking until i find the solution. I paste the whole script here just
in case something else is wrong...
Here is my ipfw.rules file:
/** Sorry for the delay. In the meanwhile, just before sent the mail
something else happened. Taking in account what you told me about the
"state" keyword, i added it to the rule 300. Then i could not connect
at all. I tried to take it off again, but surprisingly it still
doesn't allow any connections at all (not even the user this time),
hmmm... I am sending it as it was initially, which from yesterday
until my first e-mail it was working as described previously...Now
also when i run the script with the "allowall" option gives me
problems, when it was working before. I can ping the machine and get
replies but i cannot ssh to it. It seems that i am doing something
wrong but cannot identify where */
#!/bin/sh
# rules commmand prefix
addcmd="/sbin/ipfw -q add"
# and the interface
if="xl0"
# details of this computer
ip="192.168.1.199"
net="192.168.1.0"
mask="255.255.255.0"
bcast="192.168.1.255"
nic="sk0"
ks="keep-state"
# Flush out the list
/sbin/ipfw -q -f flush
if [ "$1" = "allowall" ]
then
${addcmd} 100 allow all from any to any via ${nic}
exit 0
else
# Only in rare cases do you want to change these rules
${addcmd} 50 allow all from any to any via lo0
${addcmd} 100 deny all from any to 127.0.0.0/8
${addcmd} 150 deny ip from 127.0.0.0/8 to any
# At the moment don't allow it
#${addcmd} 400 allow all from ${ip} to ${net}:${mask}
#${addcmd} 500 allow all from ${net}:${mask} to ${ip}
# Allow only specific stuff and maintain the firewall for as long
# as needed to become tough enough
# check state and keep it
${addcmd} 200 check-state
${addcmd} 210 allow tcp from me to any setup ${ks}
${addcmd} 211 allow udp from me to any ${ks}
${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
${addcmd} 212 allow icmp from me to any
# Allow Traffic to my ISP DNS server
${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
# Allow ssh from anywhere
#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks}
#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup
${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
# Everything else is denied
${addcmd} 65535 deny all from any to ${ip}
exit 0
fi
Thanks
Spiros
On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
I removed freebsd-ipfw from the recipient list. Please keep `general'
questions in freebsd-questions. The freebsd-ipfw list is, as far as I
know, used for *development* of IPFW; not questions.
On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am trying to configure a firewall using ipfw for a machine running
> FreeBSD 5.4. Without NAT.
>
> I am nearly a newbie on this (since i never had time until now..) but
> still i believe i understand exactly the concepts and what needs to be
> done. Except the manual page and chapter 26.1 in the handbook I am
> using good references such as:
>
> http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
>
> I need to connect remotely to the machine using ssh and this is where
> i get the problem:
>
> Initially i can connect properly using a normal user account. When
> later i am trying to su to root it does nothing and the connection
> closes.
Can you show us the full IPFW ruleset you are using?
> I have ipfw enabled in the kernel to deny everything by default. I
> have used both (one at a time) the following rules concerning ssh, in
> /etc/ipfw.rules and also other combinations, such as taking off setup
> and keep-state etc etc which would then make my firewall stateless as
> far as i understood, which is something i don't want anyway.
>
> ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> -
> ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
The second seems wrong, unless you also have 'setup' rules elsewhere.
> In a first investigation (not thorough) i found this post:
> http://www.freebsdforums.org/forums/showthread.php?t=21876
> where from, i cannot realize what is wrong or how to fix this.
The initial ruleset of this forum thread has a few bugs, which I'm not
interested in pointing out one by one right now. Just ignore most of it.
> I run the sshd in debug mode and below is the portion, for when i am trying
> to su to root
>
> /* sshd -d */
> Write failed: Permission denied
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: session_pty_cleanup: session 0 release /
Re: Problems with ipfw and ssh
I removed freebsd-ipfw from the recipient list. Please keep `general'
questions in freebsd-questions. The freebsd-ipfw list is, as far as I
know, used for *development* of IPFW; not questions.
On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am trying to configure a firewall using ipfw for a machine running
> FreeBSD 5.4. Without NAT.
>
> I am nearly a newbie on this (since i never had time until now..) but
> still i believe i understand exactly the concepts and what needs to be
> done. Except the manual page and chapter 26.1 in the handbook I am
> using good references such as:
>
> http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
>
> I need to connect remotely to the machine using ssh and this is where
> i get the problem:
>
> Initially i can connect properly using a normal user account. When
> later i am trying to su to root it does nothing and the connection
> closes.
Can you show us the full IPFW ruleset you are using?
> I have ipfw enabled in the kernel to deny everything by default. I
> have used both (one at a time) the following rules concerning ssh, in
> /etc/ipfw.rules and also other combinations, such as taking off setup
> and keep-state etc etc which would then make my firewall stateless as
> far as i understood, which is something i don't want anyway.
>
> ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> -
> ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
The second seems wrong, unless you also have 'setup' rules elsewhere.
> In a first investigation (not thorough) i found this post:
> http://www.freebsdforums.org/forums/showthread.php?t=21876
> where from, i cannot realize what is wrong or how to fix this.
The initial ruleset of this forum thread has a few bugs, which I'm not
interested in pointing out one by one right now. Just ignore most of it.
> I run the sshd in debug mode and below is the portion, for when i am trying
> to su to root
>
> /* sshd -d */
> Write failed: Permission denied
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug1: session_pty_cleanup: session 0 release /dev/ttyp7
Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we
can try to find out why/when/where packets can be blocked.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
