Security warning with sshd

Pat Maddox pergesu at gmail.com
Tue Aug 23 22:27:52 GMT 2005 

Hey guys, thanks for the help so far.  I'm going to post this to the
freebsd-pf list to see if anyone has any ideas...but I'm using PF, and
here's the config.  Hopefully you can take a look and see what the
problem may be.  As I said earlier, I'm not positive why I'm getting
those errors, but I believe it's because my SSH connection is getting
cut off whenever I enable the firewall.  I've also been looking for a
way to not be cut off (since it's very annoying), and it seems like
figuring out and correcting these errors will also fix the second
problem.

# ------- pf.conf skeleton for server
#
# --------------- MACRO Section  -----------------

EXT_IF="fxp0"

PING = "echoreq"

# --- allowed incoming services initiated by clients

TCP_IN = "{ 3000, ssh, ftp, smtp, domain, pop3, imap, http, https,
3690, 5001, 5002, 5003, 5004, 5005 }"
UDP_IN = "{ domain, 3690 }"

# --- allowed services initiated by server

TCP_OUT = "{ ssh, smtp, ftp, domain, http, https, ntp, 5999 }"
UDP_OUT = "{ domain, ntp }"

# ------------------ TABLE Section --------------

# ------------------ OPTIONS Section
set loginterface $EXT_IF

# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)

# ---------- FILTER section

# --- DEFAULT POLICY
block log all

# --- LOOPBACK
pass quick on lo0 all

# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE

# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state

# --- UDP
pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state

# --- ICMP
pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
$PING keep state

# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE

# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA  keep state

# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state

# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state

# ----------------- end of pf.conf



On 8/23/05, Alexander Leidinger <Alexander at leidinger.net> wrote:
> Stephen Major <smajor at gmail.com> wrote:
> 
> > The issue he is having I had the exact same problems, as soon as I changed
> > my config to the one below poof no more problems. You can set your firewall
> > however you want. I was just saying what gets rid of the problem he is
> > having with ssh.
> 
> I wasn't commenting the ssh issue, since it isn't clear why the problem
> exists. At least I haven't seen a problem analysis where the cause of this
> was shown. Maybe I missed it. So your posting may be the right solution or
> not. I don't know yet, and I don't care about this in this mail, since I
> wasn't talking about the ssh issue (see below).
> 
> > So instead of ripping apart what I have said why do you not provide a better
> > solution to the original question asked.
> 
> I wasn't ripping apart what you said. I just wanted to be helpful and share a
> little bit of knowledge. You're mixing stateful with non-stateful rules and
> this may result in unwanted packets traveling through the firewall. I
> thought you (and maybe others) may be interested in this.
> 
> BTW.: in some environments this is a hole in the firewall and needs to be
> fixed, so one shouldn't use this part of your example. Since the security
> mailinglist is in the CC, we can't let this problem be uncommented.
> 
> Another helpful suggestion: Please don't quote everything and please write
> your comments below the parts where they belong. This is common behavior in
> the FreeBSD lists and doing the opposide will result in less (useful)
> responses from some members of the lists (because it makes the mail harder
> to read and people may decide to not spend the time to read the mail and
> point out problem solutions or small bugs in your offering of a solution).
> 
> Bye,
> Alexander.
> 
> --
> http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
> http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137
> To add insult to injury.
>                 -- Phaedrus
> 
> 
>

More information about the freebsd-questions mailing list