Re: ipfw rules for letting ssh requests in

2004-01-18 Thread Daan Vreeken [PA4DAN]
On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
 I can't seem to get the ipfw rules right for letting ssh clients access a
 ssh server.  I can use ssh on the server to connect to the client; but if I
 try to connect from the client to the server, the operation times out.

 I have my rules in /etc/ipfw.rules.  Executing 'ipfw show' displays all of
 the rules as expected.  It also shows packets having been allowed at rule
 300 after an attempt to connect has been made.

 I have copied the top portion of /etc/ipfw.rules:

 #!/bin/sh

 # Andrew L. Gould's firewall rules.

 fwcmd=/sbin/ipfw -q
 ${fwcmd} -f flush


 # Basic rules that should not be changed
 ${fwcmd} add 00100 pass all from any to any via lo0
 ${fwcmd} add 00110 deny all from any to 127.0.0.0/8
 ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any


 # Allow specified service requests in
 # ssh
 ${fwcmd} add 00300 allow tcp from any to me 22
 ${fwcmd} add 00301 allow udp from any to me 22

 Does anyone have any idea why the operation is timing out or what I have
 done wrong?
You forgot the packets in the other direction... This should do the trick :

${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow tcp from me 22 to any

grtz,
Daan
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ipfw rules for letting ssh requests in

2004-01-18 Thread Andrew L. Gould
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
 On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
  I can't seem to get the ipfw rules right for letting ssh clients access a
  ssh server.  I can use ssh on the server to connect to the client; but if
  I try to connect from the client to the server, the operation times out.
 
  I have my rules in /etc/ipfw.rules.  Executing 'ipfw show' displays all
  of the rules as expected.  It also shows packets having been allowed at
  rule 300 after an attempt to connect has been made.
 
  I have copied the top portion of /etc/ipfw.rules:
 
  #!/bin/sh
 
  # Andrew L. Gould's firewall rules.
 
  fwcmd=/sbin/ipfw -q
  ${fwcmd} -f flush
 
 
  # Basic rules that should not be changed
  ${fwcmd} add 00100 pass all from any to any via lo0
  ${fwcmd} add 00110 deny all from any to 127.0.0.0/8
  ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
 
 
  # Allow specified service requests in
  # ssh
  ${fwcmd} add 00300 allow tcp from any to me 22
  ${fwcmd} add 00301 allow udp from any to me 22
 
  Does anyone have any idea why the operation is timing out or what I have
  done wrong?

 You forgot the packets in the other direction... This should do the trick :

 ${fwcmd} add 00300 allow tcp from any to me 22
 ${fwcmd} add 00301 allow tcp from me 22 to any

 grtz,
 Daan

I have the firewall configured to let anything out.  As noted above, I was 
able to connect from the server to the client using ssh.

Here's the entirety of /etc/ipfw.rules:

#!/bin/sh

# Andrew L. Gould's firewall rules.

fwcmd=/sbin/ipfw -q
${fwcmd} -f flush

${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any


# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow udp from any to me 22
# irc
${fwcmd} add 00302 allow tcp from any to me 194
${fwcmd} add 00303 allow udp from any to me 194
# auth (ident)
${fwcmd} add 00304 allow tcp from any to me 113
${fwcmd} add 00305 allow udp from any to me 113
# ircd
${fwcmd} add 00310 allow tcp from any to me 6667


# Allow TCP connections that were initiated locally
${fwcmd} add 00400 check-state

${fwcmd} add 00402 allow tcp from any to any out setup keep-state

# Allow DNS and DHCP activities
${fwcmd} add 00500 allow udp from any 53 to any in recv dc0
${fwcmd} add 00501 allow udp from any 67 to any 68 in recv dc0
${fwcmd} add 00502 allow udp from any to any out

# Allow ICMP activities
${fwcmd} add 00600 allow icmp from any to any icmptype 0
${fwcmd} add 00601 allow icmp from any to any icmptype 3
${fwcmd} add 00602 allow icmp from any to any icmptype 4
${fwcmd} add 00603 allow icmp from any to any icmptype 8
${fwcmd} add 00604 allow icmp from any to any icmptype 11 in

${fwcmd} add 00901 deny tcp from any to any in established

${fwcmd} add 65535 deny all from any to any
#

Thanks,

Andrew Gould


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ipfw rules for letting ssh requests in

2004-01-18 Thread Andrew L. Gould
Does portmap have to be enabled to connect to sshd?

Thanks,

Andrew Gould

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ipfw rules for letting ssh requests in

2004-01-18 Thread Andrew Boothman
Andrew L. Gould wrote:

Does portmap have to be enabled to connect to sshd?
No

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: ipfw rules for letting ssh requests in

2004-01-18 Thread Andrew L. Gould
On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:

 You forgot the packets in the other direction... This should do the trick :

 ${fwcmd} add 00300 allow tcp from any to me 22
 ${fwcmd} add 00301 allow tcp from me 22 to any

 grtz,
 Daan

It worked.

Thanks,

Andrew Gould

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]