Re: setting up ipfw
On Tue, 1 Jul 2003, Kevin Kinsey, DaleCo, S.P. wrote: CORRECTION: That last rule I quoted is actually: 00050 allow tcp from any to my.ip.ad.res 22 setup ^^ Makes it work much better for SSH... Well, I finally met with success this morning. The box is up to the point where I can start playing around with rulesets. I was able to get things rolling with the config Kevin sent, but I had to add a couple of udp entries for port 53 like David suggested as ssh has to resolve the IP before it allows connections to port 22. Thanks for the help. - Jamie - Original Message - From: Kevin Kinsey, DaleCo, S.P. [EMAIL PROTECTED] To: Jamie [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 8:29 PM Subject: Re: setting up ipfw From: Jamie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 8:01 PM Subject: setting up ipfw I am having a very difficult time setting up ipfw on a 4.8 installation. Was wondering if anyone might be able to shed some light on this. I followed the directions in the handbook, and I compiled a new kernel with these options, ( am going for a deny all by default, open services as necessary philosophy): options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 Upon rebooting, I was unable to access the machine from anywhere, which is fine, because I have console access. Output of ifconfig -a looks like this: ifconfig -a fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 200.88.54.93 netmask 0xff00 broadcast 200.88.54.255 inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid 0x1 ether 00:03:47:77:81:69 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 the name of the machine is power.bar.com I want to ssh in from another machine: foo.bar.com with IP address 200.88.34.12. This is the rule I am adding: ipfw add allow tcp from 200.88.34.12 to power.bar.com 22 It tells me it can't resolve power.bar.com! So, I try: ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22 It accepts the rule, but I still cannot connect from foo.bar.com. Anyone have any ideas? Are you allowing ip OUT from 200.88.54.93? Please post output of ipfw show (not that it's not implicit, I guess...) and describe your network topography. FWIW, here's my top few rules: 00010 allow ip from my.ip.ad.dres to any out 00020 deny log logamount 20 ip from any to any out 00030 allow tcp from any to any established 00040 allow ip from any to any frag 00050 allow tcp from any to my.ip.ad.res setup Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] A friend is someone who lets you have total freedom to be yourself. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setting up ipfw
At 11:35 7/2/2003, Jamie, wrote: On Tue, 1 Jul 2003, Kevin Kinsey, DaleCo, S.P. wrote: CORRECTION: That last rule I quoted is actually: 00050 allow tcp from any to my.ip.ad.res 22 setup ^^ Makes it work much better for SSH... Well, I finally met with success this morning. The box is up to the point where I can start playing around with rulesets. I was able to get things rolling with the config Kevin sent, but I had to add a couple of udp entries for port 53 like David suggested as ssh has to resolve the IP before it allows connections to port 22. Thanks for the help. - Jamie Is there some guide to translate IPFW rules to English so that they are understandable? Start Here to Find It Fast! - http://www.US-Webmasters.com/best-start-page/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setting up ipfw
W. D. wrote: [ ... ] 00050 allow tcp from any to my.ip.ad.res 22 setup Is there some guide to translate IPFW rules to English so that they are understandable? Well, the above could be written: allow tcp from any to me ssh setup ...is that better? [ If you don't understand TCP/IP, service names/port numbers, and such, well, you'll need to know about such things or else you won't have necessary background to understand firewalls. ] -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setting up ipfw
From: Jamie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 8:01 PM Subject: setting up ipfw I am having a very difficult time setting up ipfw on a 4.8 installation. Was wondering if anyone might be able to shed some light on this. I followed the directions in the handbook, and I compiled a new kernel with these options, ( am going for a deny all by default, open services as necessary philosophy): options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 Upon rebooting, I was unable to access the machine from anywhere, which is fine, because I have console access. Output of ifconfig -a looks like this: ifconfig -a fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 200.88.54.93 netmask 0xff00 broadcast 200.88.54.255 inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid 0x1 ether 00:03:47:77:81:69 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 the name of the machine is power.bar.com I want to ssh in from another machine: foo.bar.com with IP address 200.88.34.12. This is the rule I am adding: ipfw add allow tcp from 200.88.34.12 to power.bar.com 22 It tells me it can't resolve power.bar.com! So, I try: ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22 It accepts the rule, but I still cannot connect from foo.bar.com. Anyone have any ideas? Are you allowing ip OUT from 200.88.54.93? Please post output of ipfw show (not that it's not implicit, I guess...) and describe your network topography. FWIW, here's my top few rules: 00010 allow ip from my.ip.ad.dres to any out 00020 deny log logamount 20 ip from any to any out 00030 allow tcp from any to any established 00040 allow ip from any to any frag 00050 allow tcp from any to my.ip.ad.res setup Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: setting up ipfw
On Tuesday 01 July 2003 08:01 pm, Jamie wrote: I am having a very difficult time setting up ipfw on a 4.8 installation. Was wondering if anyone might be able to shed some light on this. [...] I want to ssh in from another machine: foo.bar.com with IP address 200.88.34.12. This is the rule I am adding: ipfw add allow tcp from 200.88.34.12 to power.bar.com 22 It tells me it can't resolve power.bar.com! Well, *when* is the above rule added? Is DNS up and working then? You know you can't make DNS queries until after the ipfw rules allowing DNS have been applied? If your machine is power.bar.com and if you have more than one interface you don't care if 200.88.34.12 could connect on any interface then the following is a better rule where 1234 is some position in your ruleset: ipfw add 1234 allow tcp from 200.88.34.12 to me 22 setup For setup to work you need an rule (usually early to minimize processing overhead) like this: ipfw add 400 allow tcp from any to any established So, I try: ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22 It accepts the rule, but I still cannot connect from foo.bar.com. Anyone have any ideas? Plenty. Can you ssh from anywhere else to your machine? Can you ssh from that machine to itself? In other words, Is sshd running? You didn't list an ipfw rule number in your above example. So where is it inserting in the ruleset? Very likely its after a deny rule which otherwise blocked the connection. Believe ipfw inserts unnumbered rules 100 beyond the last rule entered, so the above probably landed after any deny rule. The first rule to hit ends ipfw processing of the packet (except for divert). For quick ipfw debugging, ipfw zero to clear the hit counts. Try the failed ssh attempt, then ipfw -a list and see which rules got hits. If you suspect a deny rule is blocking the connection then insert a new copy of that deny rule just prior and with the log modifier. Repeat. And look at /var/log/security for additional details. And speaking to posterity and the list, you already know that you can simply type the rule at the keyboard, don't have to modify your firewall script file until you want the change made permanent, don't have to reboot. Stylistically I'd recommend your rule(s) include the setup modifier, and earlier you have a pass all established rule. This is the way its done in the /etc/rc.firewall example. With setup and log you get only one hit in /var/log/security when the connection is made. Without setup you get an entry for each and every packet until your VERBOSE limit is hit (I think, as I don't use the verbose limiter). -- David Kelly N4HHE, [EMAIL PROTECTED] = The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]