setting up ipfw
David Kelly
dkelly at HiWAAY.net
Tue Jul 1 19:53:19 PDT 2003
On Tuesday 01 July 2003 08:01 pm, Jamie wrote:
> I am having a very difficult time setting up ipfw on a 4.8
> installation. Was wondering if anyone might be able to shed some
> light on this.
[...]
> I want to ssh in from another machine: foo.bar.com with IP address
> 200.88.34.12.
>
>
>
> This is the rule I am adding:
>
>
> ipfw add allow tcp from 200.88.34.12 to power.bar.com 22
>
>
> It tells me it can't resolve power.bar.com!
Well, *when* is the above rule added? Is DNS up and working then? You
know you can't make DNS queries until after the ipfw rules allowing DNS
have been applied?
If your machine is power.bar.com and if you have more than one interface
you don't care if 200.88.34.12 could connect on any interface then the
following is a better rule where 1234 is some position in your ruleset:
ipfw add 1234 allow tcp from 200.88.34.12 to me 22 setup
For "setup" to work you need an rule (usually early to minimize
processing overhead) like this:
ipfw add 400 allow tcp from any to any established
> So, I try:
>
> ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22
>
> It accepts the rule, but I still cannot connect from foo.bar.com.
>
> Anyone have any ideas?
Plenty. Can you ssh from anywhere else to your machine? Can you ssh from
that machine to itself? In other words, "Is sshd running?"
You didn't list an ipfw rule number in your above example. So where is
it inserting in the ruleset? Very likely its after a "deny" rule which
otherwise blocked the connection. Believe ipfw inserts unnumbered rules
100 beyond the last rule entered, so the above probably landed after
any deny rule. The first rule to hit ends ipfw processing of the packet
(except for divert).
For quick ipfw debugging, "ipfw zero" to clear the hit counts. Try the
failed ssh attempt, then "ipfw -a list" and see which rules got hits.
If you suspect a deny rule is blocking the connection then insert a new
copy of that deny rule just prior and with the "log" modifier. Repeat.
And look at /var/log/security for additional details. And speaking to
posterity and the list, you already know that you can simply type the
rule at the keyboard, don't have to modify your firewall script file
until you want the change made permanent, don't have to reboot.
Stylistically I'd recommend your rule(s) include the "setup" modifier,
and earlier you have a "pass all established" rule. This is the way its
done in the /etc/rc.firewall example. With "setup" and "log" you get
only one hit in /var/log/security when the connection is made. Without
setup you get an entry for each and every packet until your VERBOSE
limit is hit (I think, as I don't use the verbose limiter).
--
David Kelly N4HHE, dkelly at hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
More information about the freebsd-questions
mailing list