Security warning with sshd
Pat Maddox
pergesu at gmail.com
Tue Aug 23 22:27:52 GMT 2005
Hey guys, thanks for the help so far. I'm going to post this to the
freebsd-pf list to see if anyone has any ideas...but I'm using PF, and
here's the config. Hopefully you can take a look and see what the
problem may be. As I said earlier, I'm not positive why I'm getting
those errors, but I believe it's because my SSH connection is getting
cut off whenever I enable the firewall. I've also been looking for a
way to not be cut off (since it's very annoying), and it seems like
figuring out and correcting these errors will also fix the second
problem.
# ------- pf.conf skeleton for server
#
# --------------- MACRO Section -----------------
EXT_IF="fxp0"
PING = "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN = "{ 3000, ssh, ftp, smtp, domain, pop3, imap, http, https,
3690, 5001, 5002, 5003, 5004, 5005 }"
UDP_IN = "{ domain, 3690 }"
# --- allowed services initiated by server
TCP_OUT = "{ ssh, smtp, ftp, domain, http, https, ntp, 5999 }"
UDP_OUT = "{ domain, ntp }"
# ------------------ TABLE Section --------------
# ------------------ OPTIONS Section
set loginterface $EXT_IF
# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)
# ---------- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
$PING keep state
# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# ----------------- end of pf.conf
On 8/23/05, Alexander Leidinger <Alexander at leidinger.net> wrote:
> Stephen Major <smajor at gmail.com> wrote:
>
> > The issue he is having I had the exact same problems, as soon as I changed
> > my config to the one below poof no more problems. You can set your firewall
> > however you want. I was just saying what gets rid of the problem he is
> > having with ssh.
>
> I wasn't commenting the ssh issue, since it isn't clear why the problem
> exists. At least I haven't seen a problem analysis where the cause of this
> was shown. Maybe I missed it. So your posting may be the right solution or
> not. I don't know yet, and I don't care about this in this mail, since I
> wasn't talking about the ssh issue (see below).
>
> > So instead of ripping apart what I have said why do you not provide a better
> > solution to the original question asked.
>
> I wasn't ripping apart what you said. I just wanted to be helpful and share a
> little bit of knowledge. You're mixing stateful with non-stateful rules and
> this may result in unwanted packets traveling through the firewall. I
> thought you (and maybe others) may be interested in this.
>
> BTW.: in some environments this is a hole in the firewall and needs to be
> fixed, so one shouldn't use this part of your example. Since the security
> mailinglist is in the CC, we can't let this problem be uncommented.
>
> Another helpful suggestion: Please don't quote everything and please write
> your comments below the parts where they belong. This is common behavior in
> the FreeBSD lists and doing the opposide will result in less (useful)
> responses from some members of the lists (because it makes the mail harder
> to read and people may decide to not spend the time to read the mail and
> point out problem solutions or small bugs in your offering of a solution).
>
> Bye,
> Alexander.
>
> --
> http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
> http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
> To add insult to injury.
> -- Phaedrus
>
>
>
More information about the freebsd-questions
mailing list