kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3

Nick Hale nhale at charter.net
Sun Jan 9 16:10:36 PST 2005 

The following reply was made to PR kern/75601; it has been noted by GNATS.

From: "Nick Hale" <nhale at charter.net>
To: "Giorgos Keramidas" <keramida at freebsd.org>
Cc: <bug-followup at freebsd.org>
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Sun, 9 Jan 2005 18:07:34 -0600

 Correct.  It should be that way.  Pass in packets from this host to any ip 
 locally and pass out packets from any ip locally to this host is technically 
 what those rules say.  I've been using that setup now since the boxes were 
 running 5.0 without change and it's always worked up until now.  I ran into 
 a similiar problem locally on my devbox and I'm going to attempt to rebuild 
 world/kernel with a libmap.conf with the following in it to see if it 
 changes anything (KDE wouldn't build on my local box without this setup):
 
         libc_r.so.5             libpthread.so.1
         libc_r.so               libpthread.so
 
 
 Regards,
 Nick
 
 
 ----- Original Message ----- 
 From: "Giorgos Keramidas" <keramida at freebsd.org>
 To: "Nick Hale" <nhale at charter.net>
 Cc: <bug-followup at freebsd.org>
 Sent: Sunday, January 09, 2005 17:58
 Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
 
 
 > Nick Hale <nhale at charter.net> wrote:
 >>Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
 >>>On 2004-12-29 07:00, Joe <joe at gaming-tv.com> wrote:
 >>>> Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we
 >>>> have trouble logging in to SSH.  This only occurs when we have
 >>>> ipfilter on.  We have port 22 opened for people to SSH to and from.
 >>>> If I type ipf -D and disable ipfilter, I can SSH into the box, yet as
 >>>> soon as its active, I can't get in.  It does not stop with SSH either,
 >>>> if I try to access a web page from the box, I can not view it or it
 >>>> takes literally about an hour to load.  Again, when I turn off
 >>>> ipfilter, the issue goes away, and when it is turned back on, the
 >>>> problem appears again.
 >>>
 >>> Can we see your ruleset?
 >>
 >> It isn't a ruleset issue at this time as the following lines are in
 >> the rules (at the top)
 >>
 >> pass in quick on em0 from <my.ip.add.ress> to any
 >> pass out quick on em0 from any to <my.ip.add.ress>
 >>
 >> The ip address in those first couple of rules are my particular IP
 >> address and it's still having issues.
 >
 > Hmmm, if these are the rules you have, then I think you have the `in'
 > and `out' directions backwards.
 >
 > When you use a rule like:
 >
 > pass in quick on em0 from any to <your.address>
 >
 > The "in" direction is packets sent FROM someone else TO you, that enter
 > your network interface as "incoming" and parsed by your network stack as
 > "input packets".
 >
 > The reverse applies to packets that YOU sent OUT-wards:
 >
 > pass out quick on em0 from <your.address> to any
 >
 > Make sure the rest of your rules are not reversed in a similar manner,
 > or (please) just post the output of `ipfstat -nio' as a followup to this
 > problem report (masking any IP addresses you don't want us to see).
 >
 > - Giorgos
 >
 >

More information about the freebsd-bugs mailing list