Problems with ipfw and ssh

Giorgos Keramidas keramida at ceid.upatras.gr
Wed Oct 11 16:47:11 PDT 2006 

On 2006-10-12 00:53, Spiros Papadopoulos <spap13 at googlemail.com> wrote:
> I started yesterday playing with it / testing it, but since i
> want to do most of the work remotely, i stuck on this rule and
> feel like keep looking until i find the solution. I paste the
> whole script here just in case something else is wrong...  Here
> is my ipfw.rules file:
> 
> /** Sorry for the delay. In the meanwhile, just before sent the
> mail something else happened. Taking in account what you told
> me about the "state" keyword, i added it to the rule 300. Then
> i could not connect at all. I tried to take it off again, but
> surprisingly it still doesn't allow any connections at all (not
> even the user this time), hmmm... I am sending it as it was
> initially, which from yesterday until my first e-mail it was
> working as described previously...Now also when i run the
> script with the "allowall" option gives me problems, when it
> was working before. I can ping the machine and get replies but
> i cannot ssh to it. It seems that i am doing something wrong
> but cannot identify where */
> 
> #!/bin/sh
> 
> # rules commmand prefix
> addcmd="/sbin/ipfw -q add"
> 
> # and the interface
> if="xl0"
> 
> # details of this computer
> ip="192.168.1.199"
> net="192.168.1.0"
> mask="255.255.255.0"
> bcast="192.168.1.255"
> 
> nic="sk0"
> ks="keep-state"
> 
> # Flush out the list
> /sbin/ipfw -q -f flush
> 
> if [ "$1" = "allowall" ]
> then
>        ${addcmd} 100 allow all from any to any via ${nic}
>        exit 0
> else
>        # Only in rare cases do you want to change these rules
>        ${addcmd} 50 allow all from any to any via lo0
>        ${addcmd} 100 deny all from any to 127.0.0.0/8
>        ${addcmd} 150 deny ip from 127.0.0.0/8 to any

These look ok.

>        # At the moment don't allow it
>        #${addcmd} 400 allow all from ${ip} to ${net}:${mask}
>        #${addcmd} 500 allow all from ${net}:${mask} to ${ip}

Not sure why these are needed (but they are commented out).

>        # Allow only specific stuff and maintain the firewall for as long
>        # as needed to become tough enough
> 
>        # check state and keep it
>        ${addcmd} 200 check-state
> 
>        ${addcmd} 210 allow tcp from me to any setup ${ks}
>        ${addcmd} 211 allow udp from me to any ${ks}
> 
>        ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
>        ${addcmd} 212 allow icmp from me to any
> 
>        # Allow Traffic to my ISP DNS server
>        ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
>        ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
> 
>        # Allow ssh from anywhere
>        #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup 
>        ${ks}
>        #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} 
>        setup
>        ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
>        # Everything else is denied
>        ${addcmd} 65535 deny all from any to ${ip}
>        exit 0
> fi

You seem to be missing a 'setup' keyword in the ssh rule :-/

I just loaded your own ruleset (with ${ip} and ${nic} set to local
values) on a FreeBSD 7.0-CURRENT system here.  They work fine, as far as
I can tell:

,----------------------------------------------------------------
| giorgos at gothmog:/home/giorgos$ su -
| Password: ********
| root at gothmog:/root# ipfw -d show
| 00050 168  30828 allow ip from any to any via lo0
| 00100   0      0 deny ip from any to 127.0.0.0/8
| 00150   0      0 deny ip from 127.0.0.0/8 to any
| 00200   0      0 check-state
| 00210 881 129402 allow tcp from me to any setup keep-state
| 00211   8    965 allow udp from me to any keep-state
| 00212   0      0 allow icmp from any to me icmptypes 0,3,4,11
| 00212   0      0 allow icmp from me to any
| 00250   0      0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
| 00251   0      0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
| 00300 649  92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state
| 65535 154  35966 deny ip from any to any
| ## Dynamic rules (12):
| root at gothmog:/root#
`----------------------------------------------------------------

The only changes I made are:

  * Use 'any' instead of xx.xxx.x.xx as the UDP address.

  * Change ${ip} to my own address

  * Change ${nic} to my own interface name

I can connect to other hosts and ssh back into my workstation
with this ruleset :-/

Sorry, but I'm not sure why in your case this fails to work.

More information about the freebsd-questions mailing list