kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
keramida at freebsd.org
Sun Jan 9 16:00:55 PST 2005
The following reply was made to PR kern/75601; it has been noted by GNATS.
From: Giorgos Keramidas <keramida at freebsd.org>
To: Nick Hale <nhale at charter.net>
Cc: bug-followup at freebsd.org
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 01:58:10 +0200
Nick Hale <nhale at charter.net> wrote:
>Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
>>On 2004-12-29 07:00, Joe <joe at gaming-tv.com> wrote:
>>> Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we
>>> have trouble logging in to SSH. This only occurs when we have
>>> ipfilter on. We have port 22 opened for people to SSH to and from.
>>> If I type ipf -D and disable ipfilter, I can SSH into the box, yet as
>>> soon as its active, I can't get in. It does not stop with SSH either,
>>> if I try to access a web page from the box, I can not view it or it
>>> takes literally about an hour to load. Again, when I turn off
>>> ipfilter, the issue goes away, and when it is turned back on, the
>>> problem appears again.
>> Can we see your ruleset?
> It isn't a ruleset issue at this time as the following lines are in
> the rules (at the top)
> pass in quick on em0 from <my.ip.add.ress> to any
> pass out quick on em0 from any to <my.ip.add.ress>
> The ip address in those first couple of rules are my particular IP
> address and it's still having issues.
Hmmm, if these are the rules you have, then I think you have the `in'
and `out' directions backwards.
When you use a rule like:
pass in quick on em0 from any to <your.address>
The "in" direction is packets sent FROM someone else TO you, that enter
your network interface as "incoming" and parsed by your network stack as
The reverse applies to packets that YOU sent OUT-wards:
pass out quick on em0 from <your.address> to any
Make sure the rest of your rules are not reversed in a similar manner,
or (please) just post the output of `ipfstat -nio' as a followup to this
problem report (masking any IP addresses you don't want us to see).
More information about the freebsd-bugs