ipfw and ssh problem

Peter fbsdq at peterk.org
Fri Mar 26 08:02:23 UTC 2010


> Hi guys,
>
> I have searched everywhere and failed to find a solution, hence I write
> you.
> I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08
> UTC 2009     root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
> amd64
> together with ipfw. The problem I have is this, if I am on the box I can
> restart my firewall with no problem, but when I log in remotely and
> restart the firewall for reason I am locked out and can not ssh into it.
>
> Below is the messages log:
> Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a
> Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert
> loadable, nat loadable, rule-based forwarding disabled, default to deny,
> logging disabled
> Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP
> Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1)
> Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon
> Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001
> Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0
> Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed
> Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN
> Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied
> Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP
>
> Here is a few lines from my /etc/firewall_rules
>
> # vim: set syntax=pf :
>
> -f flush
>
> # Let me talk out
> add 100 allow all from me to any out keep-state
> add 101 allow icmp from any to any via any
> add 102 allow udp from any to any 33434-33523
>
> # Deal with loopback
> #add 1000 allow all from any to any via lo0
> add 1001 deny ip from any to 127.0.0.0/8
> add 1002 deny ip from 127.0.0.0/8 to any
>
> # Allow established and fragmented sessions
> add 2000 allow tcp from any to any established
> add 2001 allow ip from any to any frag
> add 2002 check-state
> add 2003 allow icmp from any to any
>
>
> I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf
>
> please help
>
>
> regards
>
>
> Tongai

ipfw -f flush - deletes all rules except the default which is usually
'deny from any to any'

As soon as that gets processed, your sshd connection is killed as seen in
the message up there:
sshd[829]: fatal: Write failed: Permission denied
With ssh dead, your shell is terminated and the rest of the script is
never ran, so you are stuck with a firewall that did not get any rules
added to it.

Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3'
is what I've usually done.

or my favorite is to do the firewall from 'local console' using 'watch -W
v4' so even if ssh is killed, the console is up to finish up the script.
[ this works great for 'buildworld' too where I want to start it, pack my
laptop and and leave, reconnecting later ]

With quiet mode, ssh is not sending anything back, so the connection is
not terminated.

]Peter[



More information about the freebsd-questions mailing list