Problems with ipfw and ssh
Spiros Papadopoulos
spap13 at googlemail.com
Wed Oct 11 15:53:05 PDT 2006
Giorgo thanks for the immediate reply,
I started yesterday playing with it / testing it, but since i want to
do most of the work remotely, i stuck on this rule and feel like keep
looking until i find the solution. I paste the whole script here just
in case something else is wrong...
Here is my ipfw.rules file:
/** Sorry for the delay. In the meanwhile, just before sent the mail
something else happened. Taking in account what you told me about the
"state" keyword, i added it to the rule 300. Then i could not connect
at all. I tried to take it off again, but surprisingly it still
doesn't allow any connections at all (not even the user this time),
hmmm... I am sending it as it was initially, which from yesterday
until my first e-mail it was working as described previously...Now
also when i run the script with the "allowall" option gives me
problems, when it was working before. I can ping the machine and get
replies but i cannot ssh to it. It seems that i am doing something
wrong but cannot identify where */
#!/bin/sh
# rules commmand prefix
addcmd="/sbin/ipfw -q add"
# and the interface
if="xl0"
# details of this computer
ip="192.168.1.199"
net="192.168.1.0"
mask="255.255.255.0"
bcast="192.168.1.255"
nic="sk0"
ks="keep-state"
# Flush out the list
/sbin/ipfw -q -f flush
if [ "$1" = "allowall" ]
then
${addcmd} 100 allow all from any to any via ${nic}
exit 0
else
# Only in rare cases do you want to change these rules
${addcmd} 50 allow all from any to any via lo0
${addcmd} 100 deny all from any to 127.0.0.0/8
${addcmd} 150 deny ip from 127.0.0.0/8 to any
# At the moment don't allow it
#${addcmd} 400 allow all from ${ip} to ${net}:${mask}
#${addcmd} 500 allow all from ${net}:${mask} to ${ip}
# Allow only specific stuff and maintain the firewall for as long
# as needed to become tough enough
# check state and keep it
${addcmd} 200 check-state
${addcmd} 210 allow tcp from me to any setup ${ks}
${addcmd} 211 allow udp from me to any ${ks}
${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
${addcmd} 212 allow icmp from me to any
# Allow Traffic to my ISP DNS server
${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
# Allow ssh from anywhere
#${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup ${ks}
#${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} setup
${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
# Everything else is denied
${addcmd} 65535 deny all from any to ${ip}
exit 0
fi
Thanks
Spiros
On 12/10/06, Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
> I removed freebsd-ipfw from the recipient list. Please keep `general'
> questions in freebsd-questions. The freebsd-ipfw list is, as far as I
> know, used for *development* of IPFW; not questions.
>
> On 2006-10-11 22:53, Spiros Papadopoulos <spap13 at googlemail.com> wrote:
> > Hi,
> >
> > I am trying to configure a firewall using ipfw for a machine running
> > FreeBSD 5.4. Without NAT.
> >
> > I am nearly a newbie on this (since i never had time until now..) but
> > still i believe i understand exactly the concepts and what needs to be
> > done. Except the manual page and chapter 26.1 in the handbook I am
> > using good references such as:
> >
> > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
> >
> > I need to connect remotely to the machine using ssh and this is where
> > i get the problem:
> >
> > Initially i can connect properly using a normal user account. When
> > later i am trying to su to root it does nothing and the connection
> > closes.
>
> Can you show us the full IPFW ruleset you are using?
>
> > I have ipfw enabled in the kernel to deny everything by default. I
> > have used both (one at a time) the following rules concerning ssh, in
> > /etc/ipfw.rules and also other combinations, such as taking off setup
> > and keep-state etc etc which would then make my firewall stateless as
> > far as i understood, which is something i don't want anyway.
> >
> > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state
> > -
> > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state
>
> The second seems wrong, unless you also have 'setup' rules elsewhere.
>
> > In a first investigation (not thorough) i found this post:
> > http://www.freebsdforums.org/forums/showthread.php?t=21876
> > where from, i cannot realize what is wrong or how to fix this.
>
> The initial ruleset of this forum thread has a few bugs, which I'm not
> interested in pointing out one by one right now. Just ignore most of it.
>
> > I run the sshd in debug mode and below is the portion, for when i am trying
> > to su to root
> >
> > /* sshd -d */
> > Write failed: Permission denied
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug1: session_pty_cleanup: session 0 release /dev/ttyp7
>
> Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we
> can try to find out why/when/where packets can be blocked.
>
>
--
Spiros Papadopoulos
More information about the freebsd-questions
mailing list