ipfw and ssh
Ean Kingston
ean at istop.com
Thu Apr 6 22:13:44 UTC 2006
Okay Anthony,
Here is a bit more detail on your IPFW setup. Here is the section of rc.firewall that is relevant what we've discussed. View this in HTML mode if you can. I've highlighted changes in red and my own comments in blue. I also noticed that you use a Netgear router in your setup. You need to make sure that you pass port 22 inbound connections through your netgear router to your Freebsd system. That would be a setup on your netgear system.
# set these to your network and netmask and ip
net="192.0.2.0" # This should be set to your internal network's address
# Most home firewalls and routers use 192.168.1.0
mask="255.255.255.0" # This should be your internal network's netmask.
# Most home firewalls and routers use 255.255.255.0
ip="192.0.2.1" # This should be your local machines IP address.
# If you are using DHCP to assign an address to your system, this will not work as written. Fortunately, IPFW now supports the meta-address 'me', which resolves to all your local addresses.
setup_loopback
# Allow any traffic to or from my own net. This allows all computers on your network to talk to your computer without any restrictions.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded. This allows any existing TCP connections to work. This way you only need one rule (setup) for each inbound service you want.
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email. This one allows outside systems to send e-mail to your system. If you aren't running a mail server you may want to remove this line. This is also the line we are going to copy to allow your ssh server to work.
${fwcmd} add pass tcp from any to ${ip} 25 setup
# Allow inbound connections to my ssh server. This will allow anyone access to my system through SSH provided they can authenticate.
${fwcmd} add pass tcp from any to ${ip} 22 setup
# Allow setup of outgoing TCP connections only. This is what lets you initiate sessions with other systems (like http, and ssh)
${fwcmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections. If you put any TCP stuff after this it won't work because this line prevents all further TCP rules from being applied.
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${ip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
On Wednesday 05 April 2006 22:27, Anthony M. Agelastos wrote:
> Thank you for your very prompt reply. I tried your suggestion and it
> didn't work. I do not know why. Is the location where I place this in
> the client profile important?
>
> I have also tried the person's actual IP address as well as the IP
> address of the router (just in case it is not doing something weird)
> to no avail.
>
> What is the easiest way of making changes to the firewall rules and
> applying them so I do not have to reboot each time? I assume a
> kldunload ipfw.ko and then a kldload ipfw.ko should do it, but I
> don't want to risk doing something incorrect while I am trying to
> debug my current problem.
>
> On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote:
> > You neglected to include the 'add' in your first fwcmd.
> >
> > You may want to try something simple to start with. I haven't used
> > ipfw in a
> > while so hopefully my syntax is still good. Here is a simple
> > starting point:
> >
> > # Allow person SSH access
> > mip="xxx.xxx.xxx.xxx" # IP Address of person
> > ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection
> > to ssh
> > ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond
> >
> > I think all you really need is this:
> >
> > # Allow setup of incoming ssh
> > ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup
> >
> > Since the rest of it should be taken care of by the rest of the
> > 'client' ipfw
> > setup.
> >
> > On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote:
> >> Hello everyone,
> >>
> >> Allow me to preface my problem by saying that I am very ignorant when
> >> it comes to networking. I do apologize if this is trivial. In any
> >> event, I enabled the "client" ifpw firewall located in /etc/
> >> rc.firewall. This appears to work well for my needs... except for one
> >> additional item. I need someone outside of my network to have SSH
> >> access to my machine. I know his/her IP address. So, I have added
> >> some additional items to rc.firewall for this. Here is what I added.
> >>
> >> # Allow person SSH access
> >> mip="xxx.xxx.xxx.xxx"
> >> ${fwcmd} allow tcp from any to any 22 out setup keep-state
> >> ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src-
> >> addr 2
> >>
> >> I have tried many, many differing variations of this from items I
> >> have found online. I cannot get any of them to work. My network setup
> >> is as follows
> >>
> >> internet -> cable modem -> netgear router -> freebsd 6.1-prerelease
> >>
> >> This user can SSH into my machine when I set the firewall to "open".
> >> Any ideas?
> >> _______________________________________________
> >> freebsd-questions at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to
> >> "freebsd-questions-unsubscribe at freebsd.org"
> >
> > --
> > Ean Kingston, BSc, CISSP, ARO
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-
> > unsubscribe at freebsd.org"
--
Ean Kingston, BSc, CISSP, ARO
More information about the freebsd-questions
mailing list