From owner-freebsd-questions@FreeBSD.ORG Wed Oct 11 22:08:21 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BF2116A752 for ; Wed, 11 Oct 2006 22:08:21 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED53D43D88 for ; Wed, 11 Oct 2006 22:07:56 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-2) with ESMTP id k9BM7cdk003734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Oct 2006 01:07:39 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.8/8.13.8) with ESMTP id k9BM8F1B083826; Thu, 12 Oct 2006 01:08:16 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.8/8.13.8/Submit) id k9BM8F7K083825; Thu, 12 Oct 2006 01:08:15 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 12 Oct 2006 01:08:15 +0300 From: Giorgos Keramidas To: Spiros Papadopoulos Message-ID: <20061011220815.GA83773@gothmog.pc> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.594, required 5, AWL -0.20, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 22:08:21 -0000 I removed freebsd-ipfw from the recipient list. Please keep `general' questions in freebsd-questions. The freebsd-ipfw list is, as far as I know, used for *development* of IPFW; not questions. On 2006-10-11 22:53, Spiros Papadopoulos wrote: > Hi, > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD 5.4. Without NAT. > > I am nearly a newbie on this (since i never had time until now..) but > still i believe i understand exactly the concepts and what needs to be > done. Except the manual page and chapter 26.1 in the handbook I am > using good references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > I need to connect remotely to the machine using ssh and this is where > i get the problem: > > Initially i can connect properly using a normal user account. When > later i am trying to su to root it does nothing and the connection > closes. Can you show us the full IPFW ruleset you are using? > I have ipfw enabled in the kernel to deny everything by default. I > have used both (one at a time) the following rules concerning ssh, in > /etc/ipfw.rules and also other combinations, such as taking off setup > and keep-state etc etc which would then make my firewall stateless as > far as i understood, which is something i don't want anyway. > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup keep-state > - > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state The second seems wrong, unless you also have 'setup' rules elsewhere. > In a first investigation (not thorough) i found this post: > http://www.freebsdforums.org/forums/showthread.php?t=21876 > where from, i cannot realize what is wrong or how to fix this. The initial ruleset of this forum thread has a few bugs, which I'm not interested in pointing out one by one right now. Just ignore most of it. > I run the sshd in debug mode and below is the portion, for when i am trying > to su to root > > /* sshd -d */ > Write failed: Permission denied > debug1: do_cleanup > debug1: PAM: cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 Now we're getting somewhere. Please post your *FULL* ipfw ruleset so we can try to find out why/when/where packets can be blocked.