Problems with ipfw and ssh

Spiros Papadopoulos spap13 at googlemail.com
Wed Oct 11 15:53:05 PDT 2006 

Giorgo thanks for the immediate reply,

I started yesterday playing with it / testing it, but since i want to
do most of the work remotely, i stuck on this rule and feel like keep
looking until i find the solution. I paste the whole script here just
in case something else is wrong...
Here is my ipfw.rules file:

/** Sorry for the delay. In the meanwhile, just before sent the mail
something else happened. Taking in account what you told me about the
"state" keyword, i added it to the rule 300. Then i could not connect
at all. I tried to take it off again, but surprisingly it still
doesn't allow any connections at all (not even the user this time),
hmmm... I am sending it as it was initially, which from yesterday
until my first e-mail it was working as described previously...Now
also when i run the script with the "allowall" option gives me
problems, when it was working before. I can ping the machine and get
replies but i cannot ssh to it. It seems that i am doing something
wrong but cannot identify where */

#!/bin/sh

# rules commmand prefix
addcmd="/sbin/ipfw -q add"

# and the interface
if="xl0"

# details of this computer
ip="192.168.1.199"
net="192.168.1.0"
mask="255.255.255.0"
bcast="192.168.1.255"

nic="sk0"
ks="keep-state"

# Flush out the list
/sbin/ipfw -q -f flush

if [ "$1" = "allowall" ]
then
        ${addcmd} 100 allow all from any to any via ${nic}
        exit 0
else
        # Only in rare cases do you want to change these rules
        ${addcmd} 50 allow all from any to any via lo0
        ${addcmd} 100 deny all from any to 127.0.0.0/8
        ${addcmd} 150 deny ip from 127.0.0.0/8 to any

        # At the moment don't allow it
        #${addcmd} 400 allow all from ${ip} to ${net}:${mask}
        #${addcmd} 500 allow all from ${net}:${mask} to ${ip}

        # Allow only specific stuff and maintain the firewall for as long
        # as needed to become tough enough

        # check state and keep it
        ${addcmd} 200 check-state

        ${addcmd} 210 allow tcp from me to any setup ${ks}
        ${addcmd} 211 allow udp from me to any ${ks}

        ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
        ${addcmd} 212 allow icmp from me to any

        # Allow Traffic to my ISP DNS server
        ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
        ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}

        # Allow ssh from anywhere
        #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks}
        #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup
        ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
        # Everything else is denied
        ${addcmd} 65535 deny all from any to ${ip}
        exit 0
fi

Thanks
Spiros

On 12/10/06, Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
> I removed freebsd-ipfw from the recipient list.  Please keep `general'
> questions in freebsd-questions.  The freebsd-ipfw list is, as far as I
> know, used for *development* of IPFW; not questions.
>
> On 2006-10-11 22:53, Spiros Papadopoulos <spap13 at googlemail.com> wrote:
> > Hi,
> >
> > I am trying to configure a firewall using ipfw for a machine running
> > FreeBSD 5.4.  Without NAT.
> >
> > I am nearly a newbie on this (since i never had time until now..) but
> > still i believe i understand exactly the concepts and what needs to be
> > done.  Except the manual page and chapter 26.1 in the handbook I am
> > using good references such as:
> >
> > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
> >
> > I need to connect remotely to the machine using ssh and this is where
> > i get the problem:
> >
> > Initially i can connect properly using a normal user account.  When
> > later i am trying to su to root it does nothing and the connection
> > closes.
>
> Can you show us the full IPFW ruleset you are using?
>
> > I have ipfw enabled in the kernel to deny everything by default.  I
> > have used both (one at a time) the following rules concerning ssh, in
> > /etc/ipfw.rules and also other combinations, such as taking off setup
> > and keep-state etc etc which would then make my firewall stateless as
> > far as i understood, which is something i don't want anyway.
> >
> > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> > -
> > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
>
> The second seems wrong, unless you also have 'setup' rules elsewhere.
>
> > In a first investigation (not thorough) i found this post:
> > http://www.freebsdforums.org/forums/showthread.php?t=21876
> > where from, i cannot realize what is wrong or how to fix this.
>
> The initial ruleset of this forum thread has a few bugs, which I'm not
> interested in pointing out one by one right now.  Just ignore most of it.
>
> > I run the sshd in debug mode and below is the portion, for when i am trying
> > to su to root
> >
> > /* sshd -d */
> > Write failed: Permission denied
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug1: session_pty_cleanup: session 0 release /dev/ttyp7
>
> Now we're getting somewhere.  Please post your *FULL* ipfw ruleset so we
> can try to find out why/when/where packets can be blocked.
>
>


-- 
Spiros Papadopoulos

More information about the freebsd-questions mailing list