Security warning with sshd

Stephen Major smajor at
Tue Aug 23 12:16:12 GMT 2005

Hash: SHA512

The issue he is having I had the exact same problems, as soon as I changed
my config to the one below poof no more problems. You can set your firewall
however you want. I was just saying what gets rid of the problem he is
having with ssh. 

So instead of ripping apart what I have said why do you not provide a better
solution to the original question asked.

- -----Original Message-----
From: Alexander Leidinger [mailto:Alexander at] 
Sent: Tuesday, August 23, 2005 3:07 AM
To: Stephen Major
Cc: remko at; 'Pat Maddox'; freebsd-security at; 'FreeBSD
Subject: RE: Security warning with sshd

Stephen Major <smajor at> wrote:

> This is due to a mis-configured firewall. If you are using IPFW there are
> many tutorials out there that tell you to do the wrong thing. And almost
> of them contradict each other. Below is a basic script that only allows in
> and out SSH sessions and blocks all the garbage. Of coarse you must add
> other services you need. The key here is that you allow connections from
> to any established. Then on all outgoing tcp connections be sure to use
> setup keep-state flags. The keep-state flag puts the rule into the dynamic
> rules table. Then the allow connections from any to any established allows
> already established connections to flow without going through the ruleset
> again. When I did this the error messages you are now experiencing went
> away.

I'm *dis*allowing established connections in my firewall, and everything
works as expected. You just need to expect the right thing. :-)

"established" is a non-stateful filter rule, so it matches on the
presence/absence of some TCP flags. I can't get to the ipfw statistics yet,
but tere are a lot of established packets which are rejected. Needless to
say that there's normal traffic (ssh, https, smtp, imaps, ...) which goes
through the firewall just well.

> ### check the traffic's state
>        $ipfwcmd $flags add 00500 check-state

Here you have the statefull equivalent of the "established" rule, so every
successfully setup connection ("keep-state") already passes because of this

>        $ipfwcmd $flags add 00501 allow tcp from any to any established

Here you can switch to "reject" or "deny" instead of allowing it. Everything
should just continue to work (if it doesn't, most likely you forgot a
"keep-state" somewhere). With this a reconfiguration of the firewall results
in dropping established connections.

> ###### outbound section ######
> ### Allow out ssh
>        $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif
> setup keep-state

What are you trying to do here? Outgoing connections from ssh clients have a
src port above 1024.


- --  Alexander @ PGP ID = B0063FE7     netchild @  : PGP ID = 72077137
Avoid strange women and temporary variables.

Version: PGP Desktop 9.0.1 (Build 2185)


More information about the freebsd-questions mailing list