Date: Thu, 12 Oct 2006 03:42:32 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Spiros Papadopoulos <spap13@googlemail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh Message-ID: <20061012004232.GA86197@gothmog.pc> In-Reply-To: <dab71e150610111731p520f5fa4yb00292c034d5ee67@mail.gmail.com> References: <dab71e150610111453m39c6bdb8ia846b3c4b39c4e08@mail.gmail.com> <20061011220815.GA83773@gothmog.pc> <dab71e150610111553r405ece01y607687b2d39e772c@mail.gmail.com> <20061011234720.GA84405@gothmog.pc> <dab71e150610111731p520f5fa4yb00292c034d5ee67@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-10-12 01:31, Spiros Papadopoulos <spap13@googlemail.com> wrote:
>On 12/10/06, Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
>> ,----------------------------------------------------------------
>> | giorgos@gothmog:/home/giorgos$ su -
>> | Password: ********
>> | root@gothmog:/root# ipfw -d show
>> | 00050 168 30828 allow ip from any to any via lo0
>> | 00100 0 0 deny ip from any to 127.0.0.0/8
>> | 00150 0 0 deny ip from 127.0.0.0/8 to any
>> | 00200 0 0 check-state
>> | 00210 881 129402 allow tcp from me to any setup keep-state
>> | 00211 8 965 allow udp from me to any keep-state
>> | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11
>> | 00212 0 0 allow icmp from me to any
>> | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
>> | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
>> | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state
>> | 65535 154 35966 deny ip from any to any
>> | ## Dynamic rules (12):
>> | root@gothmog:/root#
>> `----------------------------------------------------------------
>>
>> The only changes I made are:
>>
>> * Use 'any' instead of xx.xxx.x.xx as the UDP address.
>>
>> * Change ${ip} to my own address
>>
>> * Change ${nic} to my own interface name
>>
>> I can connect to other hosts and ssh back into my workstation
>> with this ruleset :-/
>>
>> Sorry, but I'm not sure why in your case this fails to work.
>
> Now this is strange. I will try again tomorrow evening more
> carefully and i will post any results.
>
> Initially i sent the mail because of the failure to su as root
> (as described also in that post i referenced) after i was
> logging in as normal user canonically. So it was working as you
> said. But can you su to root after connecting?
Yes. See above. The `ipfw -d show' command shown there was
after I looped using SSH from my workstation to another system
and back again.
> Sorry i will not be able to reply again tonight
No problem. Take your time. There is definitely a logical
explanation why this is happening, even if that explanation is
`there is a bug in ipfw and 5.4' :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061012004232.GA86197>