Re: Problems with ipfw and ssh
Thanks, On 12/10/06, Chris <[EMAIL PROTECTED]> wrote: The thing is... I generally have the kernel setup to allow by default. Then I create rules denying traffic as I either know up front, or can deduct from logging a last rule denying traffic. IE: the rule you have set to allow any, my same rule is deny any. This way I can create allow and deny rules earlier, then view my log to see what items are still being denied via /var/log/security This will allow you to concentrate on what items may be causing the problem. I know I had some issues with IPFW working for about 15 minutes, then dying. It was due to me not having any rules allowing MAC, or layer2 traffic. You'll see this if you set your logging up properly with an ending rule just before the last one. I see.. Yes, what you suggest is a better idea and i think now is even more clear why the manual suggests to start by allowing everything I had it different in my mind but still i don't think i wasted my time. I also have in mind about the layer2, ARP etc traffic and i also think of using snort's output to create better rules. However I stuck with the ssh rule since i mainly want to work remotely on this. I will go for it in the way you suggest. Thanks, Spiros p.s. Apologies for messing with the receipients..I tried not to include ipfw list after the first post, but it was in someone's reply to me..etc..sorry On Thursday 12 October 2006 20:22, Spiros Papadopoulos wrote: Thanks for your replies, On 12/10/06, *Chris* <[EMAIL PROTECTED]> wrote: >If you have your kernel set to deny all by default, you can set a rule number >65534 to allow any to any >as rule 65535 will deny any to any >Then work your way back from there. Could you please make the above last part of your though more clear for me? I already have done what you said and i can su normally. So there is definitely something that must be allowed before which i am not aware of and from the messages and behaviour i get i cannot identify. On 12/10/06, vladone <[EMAIL PROTECTED]> wrote: > > Hello Spiros, > > Thursday, October 12, 2006, 12:53:28 AM, you wrote: > > > Hi, > > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD > > 5.4. > > Without NAT. > > > I am nearly a newbie on this (since i never had time until now..) but > still > > i believe i understand exactly the > > concepts and what needs to be done. > > Except the manual page and chapter 26.1 in the handbook I am using good > > references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > > I need to connect remotely to the machine using ssh and this is where i > get > > the problem: > > > Initially i can connect properly using a normal user account. > > When later i am trying to su to root it does nothing and the connection > > closes. > > > I have ipfw enabled in the kernel to deny everything by default. > > I have used both (one at a time) the following rules concerning ssh, in > > /etc/ipfw.rules > > and also other combinations, such as taking off setup and keep-state etc > etc > > which would then make my firewall stateless as far as i understood, > which is > > something i don't want anyway. > > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > keep-state > > - > > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > > In a first investigation (not thorough) i found this post: > > http://www.freebsdforums.org/forums/showthread.php?t=21876 > > where from, i cannot realize what is wrong or how to fix this. > > > I run the sshd in debug mode and below is the portion, for when i am > trying > > to su to root > > > /* sshd -d */ > > Write failed: Permission denied > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > > And here are related logs: > > > /* line from /var/log/messages */ > > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission > denied > > > /* /var/log/auth.log */ > > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xxport > > 1545 > > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam > for > > user from xxx.xxx.xxx.xx port 1545 ssh2 > > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > > xxx.xxx.xxx.xx: Connection reset by peer > > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > > xxx.xxx.xxx.xx: Operation timed out > > > Is it trying to write to a > > socket? I cannot see what is trying to do and the permission is denied > > (of course maybe it is in front of me..but..) > > Could anyone please advice? > > > Thanks in advance > > Spiros > > ___ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > Isn
Re: Problems with ipfw and ssh
Hi again, On 12/10/06, Garrett Cooper <[EMAIL PROTECTED]> wrote: Based on all the docs I've read about using ipfw, you should put "ipfw allow all any from any via lo0" somewhere at the top of your script so all traffic can and will be sent via lo0. I think you are talking about the line below, is this right? /sbin/ipfw -q add 50 allow all from any to any via lo0 It is there.. this is the first line to be met by packets in my /etc/ifpw.rules script it is also one of the default rules coming in /etc/rc.firewall script ...where i copied it from. On 12/10/06, *Chris - WEBignite* <[EMAIL PROTECTED]> wrote: I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. Could you please let me know what FreeBSD version you are using? On 12/10/06, *Giorgos Keramidas* <[EMAIL PROTECTED]> wrote: Yes. See above. The `ipfw -d show' command shown there was after I looped using SSH from my workstation to another system and back again. Sorry i will not be able to reply again tonight No problem. Take your time. There is definitely a logical explanation why this is happening, even if that explanation is `there is a bug in ipfw and 5.4' :) I turned on the laptop and now everything is working again, as i initially described (I don't have a clue of what happened yesterday) I can ssh the machine as a normal user but cannot su to root. When trying, (from a win machine) with putty it freezes immediately after i enter the root password and the message below is produced on the freebsd box Oct 12 17:58:52 user sshd[838]: fatal: Write failed: Permission denied It is sshd that produces the above, but still i cannot identify what is it trying to do and why permission is denied. I have the option PermitRootLogins=No in my /etc/ssh/sshd_config file, but it was working properly before I enable ipfw Do you think it is a good idea to take ipfw out of the kernel and try enabling it from /etc/rc.conf? Anyway i think i should wait a little more before i proceed with this Do you think that this is a bug? Thanks in advance Spiros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 12/10/06, Chris - WEBignite <[EMAIL PROTECTED]> wrote: I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied Yes this is the same exactly message i got. I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris The only difference is that i could not su to root so i could not update any rules remotely. I could login to a normal user account properly though -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Well actually i copied the following rules from /etc/rc.firewall plus the comment (..because of the comment!) without thinking of it too much and i consider them trusty and i never thought they could cause any problem. Are you suggesting that these rules may be the reason for this? # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any Unfortunately i will not be on the machine for the next 7 or so hrs Cheers -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" -- Spiros Papadopoulos ___ freebsd-questions@freebsd.org mailing lis
RE: Problems with ipfw and ssh
I've actually just started seeing this same error. I do have a rule set for local 127.0.0.1 and an allow for layer2 traffic. Oct 11 23:59:02 firewall sshd[49200]: fatal: Write failed: Permission denied I get this error when updating my firewall rules via ssh. Any current ssh connections are dropped, but I'm able to reinitiate a new connection without trouble. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jose Sent: Wednesday, October 11, 2006 8:41 PM To: 'Spiros Papadopoulos'; freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: RE: Problems with ipfw and ssh Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Problems with ipfw and ssh
Hi, Just a suggestion/query: Do you have you localhost/127.0.0.1 rules defined to allow all traffic? Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spiros Papadopoulos Sent: Thursday, 12 October 2006 7:53 AM To: freebsd-questions@freebsd.org; freebsd-ipfw@freebsd.org Subject: Problems with ipfw and ssh Hi, I am trying to configure a firewall using ipfw for a machine running FreeBSD 5.4. Without NAT. I am nearly a newbie on this (since i never had time until now..) but still i believe i understand exactly the concepts and what needs to be done. Except the manual page and chapter 26.1 in the handbook I am using good references such as: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO I need to connect remotely to the machine using ssh and this is where i get the problem: Initially i can connect properly using a normal user account. When later i am trying to su to root it does nothing and the connection closes. I have ipfw enabled in the kernel to deny everything by default. I have used both (one at a time) the following rules concerning ssh, in /etc/ipfw.rules and also other combinations, such as taking off setup and keep-state etc etc which would then make my firewall stateless as far as i understood, which is something i don't want anyway. ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state - ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state In a first investigation (not thorough) i found this post: http://www.freebsdforums.org/forums/showthread.php?t=21876 where from, i cannot realize what is wrong or how to fix this. I run the sshd in debug mode and below is the portion, for when i am trying to su to root /* sshd -d */ Write failed: Permission denied debug1: do_cleanup debug1: PAM: cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp7 And here are related logs: /* line from /var/log/messages */ Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission denied /* /var/log/auth.log */ Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xx port 1545 Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam for user from xxx.xxx.xxx.xx port 1545 ssh2 Sep 26 10:17:49 username su: user to root on /dev/ttyp4 Sep 26 11:17:51 username sshd[50068]: Read error from remote host xxx.xxx.xxx.xx: Connection reset by peer Sep 26 13:29:40 username sshd[50076]: Read error from remote host xxx.xxx.xxx.xx: Operation timed out Is it trying to write to a socket? I cannot see what is trying to do and the permission is denied (of course maybe it is in front of me..but..) Could anyone please advice? Thanks in advance Spiros ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 2006-10-12 01:31, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: >On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote: >> , >> | [EMAIL PROTECTED]:/home/giorgos$ su - >> | Password: >> | [EMAIL PROTECTED]:/root# ipfw -d show >> | 00050 168 30828 allow ip from any to any via lo0 >> | 00100 0 0 deny ip from any to 127.0.0.0/8 >> | 00150 0 0 deny ip from 127.0.0.0/8 to any >> | 00200 0 0 check-state >> | 00210 881 129402 allow tcp from me to any setup keep-state >> | 00211 8965 allow udp from me to any keep-state >> | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 >> | 00212 0 0 allow icmp from me to any >> | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 >> | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 >> | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 >> keep-state >> | 65535 154 35966 deny ip from any to any >> | ## Dynamic rules (12): >> | [EMAIL PROTECTED]:/root# >> ` >> >> The only changes I made are: >> >> * Use 'any' instead of xx.xxx.x.xx as the UDP address. >> >> * Change ${ip} to my own address >> >> * Change ${nic} to my own interface name >> >> I can connect to other hosts and ssh back into my workstation >> with this ruleset :-/ >> >> Sorry, but I'm not sure why in your case this fails to work. > > Now this is strange. I will try again tomorrow evening more > carefully and i will post any results. > > Initially i sent the mail because of the failure to su as root > (as described also in that post i referenced) after i was > logging in as normal user canonically. So it was working as you > said. But can you su to root after connecting? Yes. See above. The `ipfw -d show' command shown there was after I looped using SSH from my workstation to another system and back again. > Sorry i will not be able to reply again tonight No problem. Take your time. There is definitely a logical explanation why this is happening, even if that explanation is `there is a bug in ipfw and 5.4' :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote: On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > I started yesterday playing with it / testing it, but since i > want to do most of the work remotely, i stuck on this rule and > feel like keep looking until i find the solution. I paste the > whole script here just in case something else is wrong... Here > is my ipfw.rules file: > > /** Sorry for the delay. In the meanwhile, just before sent the > mail something else happened. Taking in account what you told > me about the "state" keyword, i added it to the rule 300. Then > i could not connect at all. I tried to take it off again, but > surprisingly it still doesn't allow any connections at all (not > even the user this time), hmmm... I am sending it as it was > initially, which from yesterday until my first e-mail it was > working as described previously...Now also when i run the > script with the "allowall" option gives me problems, when it > was working before. I can ping the machine and get replies but > i cannot ssh to it. It seems that i am doing something wrong > but cannot identify where */ > > #!/bin/sh > > # rules commmand prefix > addcmd="/sbin/ipfw -q add" > > # and the interface > if="xl0" > > # details of this computer > ip="192.168.1.199" > net="192.168.1.0" > mask="255.255.255.0" > bcast="192.168.1.255" > > nic="sk0" > ks="keep-state" > > # Flush out the list > /sbin/ipfw -q -f flush > > if [ "$1" = "allowall" ] > then >${addcmd} 100 allow all from any to any via ${nic} >exit 0 > else ># Only in rare cases do you want to change these rules >${addcmd} 50 allow all from any to any via lo0 >${addcmd} 100 deny all from any to 127.0.0.0/8 >${addcmd} 150 deny ip from 127.0.0.0/8 to any These look ok. ># At the moment don't allow it >#${addcmd} 400 allow all from ${ip} to ${net}:${mask} >#${addcmd} 500 allow all from ${net}:${mask} to ${ip} Not sure why these are needed (but they are commented out). They are meant to allow all traffic from net 192.168.1.0 and were commented out temporarily. I just sent the script as it was. ># Allow only specific stuff and maintain the firewall for as long ># as needed to become tough enough > ># check state and keep it >${addcmd} 200 check-state > >${addcmd} 210 allow tcp from me to any setup ${ks} >${addcmd} 211 allow udp from me to any ${ks} > >${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 >${addcmd} 212 allow icmp from me to any > ># Allow Traffic to my ISP DNS server >${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} >${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > ># Allow ssh from anywhere >#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup >${ks} >#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} >setup >${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} ># Everything else is denied >${addcmd} 65535 deny all from any to ${ip} >exit 0 > fi You seem to be missing a 'setup' keyword in the ssh rule :-/ I just loaded your own ruleset (with ${ip} and ${nic} set to local values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as I can tell: , | [EMAIL PROTECTED]:/home/giorgos$ su - | Password: | [EMAIL PROTECTED]:/root# ipfw -d show | 00050 168 30828 allow ip from any to any via lo0 | 00100 0 0 deny ip from any to 127.0.0.0/8 | 00150 0 0 deny ip from 127.0.0.0/8 to any | 00200 0 0 check-state | 00210 881 129402 allow tcp from me to any setup keep-state | 00211 8965 allow udp from me to any keep-state | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 | 00212 0 0 allow icmp from me to any | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state | 65535 154 35966 deny ip from any to any | ## Dynamic rules (12): | [EMAIL PROTECTED]:/root# ` The only changes I made are: * Use 'any' instead of xx.xxx.x.xx as the UDP address. * Change ${ip} to my own address * Change ${nic} to my own interface name I can connect to other hosts and ssh back into my workstation with this ruleset :-/ Sorry, but I'm not sure why in your case this fails to work. Now this is strange. I will try again tomorrow evening more carefully and i will post any results. Initially i sent the mail because of the failure to su as root (as described also in that post i referenced) after i was logging in as normal user canonically. So it was working as you
Re: Problems with ipfw and ssh
On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > I started yesterday playing with it / testing it, but since i > want to do most of the work remotely, i stuck on this rule and > feel like keep looking until i find the solution. I paste the > whole script here just in case something else is wrong... Here > is my ipfw.rules file: > > /** Sorry for the delay. In the meanwhile, just before sent the > mail something else happened. Taking in account what you told > me about the "state" keyword, i added it to the rule 300. Then > i could not connect at all. I tried to take it off again, but > surprisingly it still doesn't allow any connections at all (not > even the user this time), hmmm... I am sending it as it was > initially, which from yesterday until my first e-mail it was > working as described previously...Now also when i run the > script with the "allowall" option gives me problems, when it > was working before. I can ping the machine and get replies but > i cannot ssh to it. It seems that i am doing something wrong > but cannot identify where */ > > #!/bin/sh > > # rules commmand prefix > addcmd="/sbin/ipfw -q add" > > # and the interface > if="xl0" > > # details of this computer > ip="192.168.1.199" > net="192.168.1.0" > mask="255.255.255.0" > bcast="192.168.1.255" > > nic="sk0" > ks="keep-state" > > # Flush out the list > /sbin/ipfw -q -f flush > > if [ "$1" = "allowall" ] > then >${addcmd} 100 allow all from any to any via ${nic} >exit 0 > else ># Only in rare cases do you want to change these rules >${addcmd} 50 allow all from any to any via lo0 >${addcmd} 100 deny all from any to 127.0.0.0/8 >${addcmd} 150 deny ip from 127.0.0.0/8 to any These look ok. ># At the moment don't allow it >#${addcmd} 400 allow all from ${ip} to ${net}:${mask} >#${addcmd} 500 allow all from ${net}:${mask} to ${ip} Not sure why these are needed (but they are commented out). ># Allow only specific stuff and maintain the firewall for as long ># as needed to become tough enough > ># check state and keep it >${addcmd} 200 check-state > >${addcmd} 210 allow tcp from me to any setup ${ks} >${addcmd} 211 allow udp from me to any ${ks} > >${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 >${addcmd} 212 allow icmp from me to any > ># Allow Traffic to my ISP DNS server >${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} >${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > ># Allow ssh from anywhere >#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup >${ks} >#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} >setup >${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} ># Everything else is denied >${addcmd} 65535 deny all from any to ${ip} >exit 0 > fi You seem to be missing a 'setup' keyword in the ssh rule :-/ I just loaded your own ruleset (with ${ip} and ${nic} set to local values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as I can tell: , | [EMAIL PROTECTED]:/home/giorgos$ su - | Password: | [EMAIL PROTECTED]:/root# ipfw -d show | 00050 168 30828 allow ip from any to any via lo0 | 00100 0 0 deny ip from any to 127.0.0.0/8 | 00150 0 0 deny ip from 127.0.0.0/8 to any | 00200 0 0 check-state | 00210 881 129402 allow tcp from me to any setup keep-state | 00211 8965 allow udp from me to any keep-state | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 | 00212 0 0 allow icmp from me to any | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state | 65535 154 35966 deny ip from any to any | ## Dynamic rules (12): | [EMAIL PROTECTED]:/root# ` The only changes I made are: * Use 'any' instead of xx.xxx.x.xx as the UDP address. * Change ${ip} to my own address * Change ${nic} to my own interface name I can connect to other hosts and ssh back into my workstation with this ruleset :-/ Sorry, but I'm not sure why in your case this fails to work. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Problems with ipfw and ssh
Giorgo thanks for the immediate reply, I started yesterday playing with it / testing it, but since i want to do most of the work remotely, i stuck on this rule and feel like keep looking until i find the solution. I paste the whole script here just in case something else is wrong... Here is my ipfw.rules file: /** Sorry for the delay. In the meanwhile, just before sent the mail something else happened. Taking in account what you told me about the "state" keyword, i added it to the rule 300. Then i could not connect at all. I tried to take it off again, but surprisingly it still doesn't allow any connections at all (not even the user this time), hmmm... I am sending it as it was initially, which from yesterday until my first e-mail it was working as described previously...Now also when i run the script with the "allowall" option gives me problems, when it was working before. I can ping the machine and get replies but i cannot ssh to it. It seems that i am doing something wrong but cannot identify where */ #!/bin/sh # rules commmand prefix addcmd="/sbin/ipfw -q add" # and the interface if="xl0" # details of this computer ip="192.168.1.199" net="192.168.1.0" mask="255.255.255.0" bcast="192.168.1.255" nic="sk0" ks="keep-state" # Flush out the list /sbin/ipfw -q -f flush if [ "$1" = "allowall" ] then ${addcmd} 100 allow all from any to any via ${nic} exit 0 else # Only in rare cases do you want to change these rules ${addcmd} 50 allow all from any to any via lo0 ${addcmd} 100 deny all from any to 127.0.0.0/8 ${addcmd} 150 deny ip from 127.0.0.0/8 to any # At the moment don't allow it #${addcmd} 400 allow all from ${ip} to ${net}:${mask} #${addcmd} 500 allow all from ${net}:${mask} to ${ip} # Allow only specific stuff and maintain the firewall for as long # as needed to become tough enough # check state and keep it ${addcmd} 200 check-state ${addcmd} 210 allow tcp from me to any setup ${ks} ${addcmd} 211 allow udp from me to any ${ks} ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 ${addcmd} 212 allow icmp from me to any # Allow Traffic to my ISP DNS server ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} # Allow ssh from anywhere #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks} #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} # Everything else is denied ${addcmd} 65535 deny all from any to ${ip} exit 0 fi Thanks Spiros On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote: I removed freebsd-ipfw from the recipient list. Please keep `general' questions in freebsd-questions. The freebsd-ipfw list is, as far as I know, used for *development* of IPFW; not questions. On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD 5.4. Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still i believe i understand exactly the concepts and what needs to be > done. Except the manual page and chapter 26.1 in the handbook I am > using good references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where > i get the problem: > > Initially i can connect properly using a normal user account. When > later i am trying to su to root it does nothing and the connection > closes. Can you show us the full IPFW ruleset you are using? > I have ipfw enabled in the kernel to deny everything by default. I > have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules and also other combinations, such as taking off setup > and keep-state etc etc which would then make my firewall stateless as > far as i understood, which is something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state The second seems wrong, unless you also have 'setup' rules elsewhere. > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. The initial ruleset of this forum thread has a few bugs, which I'm not interested in pointing out one by one right now. Just ignore most of it. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /
Re: Problems with ipfw and ssh
I removed freebsd-ipfw from the recipient list. Please keep `general' questions in freebsd-questions. The freebsd-ipfw list is, as far as I know, used for *development* of IPFW; not questions. On 2006-10-11 22:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD 5.4. Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still i believe i understand exactly the concepts and what needs to be > done. Except the manual page and chapter 26.1 in the handbook I am > using good references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where > i get the problem: > > Initially i can connect properly using a normal user account. When > later i am trying to su to root it does nothing and the connection > closes. Can you show us the full IPFW ruleset you are using? > I have ipfw enabled in the kernel to deny everything by default. I > have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules and also other combinations, such as taking off setup > and keep-state etc etc which would then make my firewall stateless as > far as i understood, which is something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state The second seems wrong, unless you also have 'setup' rules elsewhere. > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. The initial ruleset of this forum thread has a few bugs, which I'm not interested in pointing out one by one right now. Just ignore most of it. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we can try to find out why/when/where packets can be blocked. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"