From owner-freebsd-questions@FreeBSD.ORG Tue Aug 23 22:27:52 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8479116A420 for ; Tue, 23 Aug 2005 22:27:52 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76E0043D48 for ; Tue, 23 Aug 2005 22:27:51 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so902326nzd for ; Tue, 23 Aug 2005 15:27:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M60NcUzvkOQpp3tQaNFxHTkP3L4T9MiykV56oT83sbqKgVhWdAzyTmmcm5h4vB/1/48UyKpDIZ6ngdG8ueEDmn2KY0RnPhdoR2CLIfhE31B1IMkv0UqlxBtsQ8Qhy0PUSSD61R1ic7J8a4LFJuJ7GiNvyObJvG4jBl2QTWn6wUU= Received: by 10.37.18.38 with SMTP id v38mr232499nzi; Tue, 23 Aug 2005 15:27:49 -0700 (PDT) Received: by 10.36.48.17 with HTTP; Tue, 23 Aug 2005 15:27:49 -0700 (PDT) Message-ID: <810a540e05082315273c897618@mail.gmail.com> Date: Tue, 23 Aug 2005 16:27:49 -0600 From: Pat Maddox To: Alexander Leidinger In-Reply-To: <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <430b138a.7c0e796e.1155.547a@mx.gmail.com> <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> Cc: Stephen Major , remko@freebsd.org, FreeBSD Questions Subject: Re: Security warning with sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 22:27:52 -0000 Hey guys, thanks for the help so far. I'm going to post this to the freebsd-pf list to see if anyone has any ideas...but I'm using PF, and here's the config. Hopefully you can take a look and see what the problem may be. As I said earlier, I'm not positive why I'm getting those errors, but I believe it's because my SSH connection is getting cut off whenever I enable the firewall. I've also been looking for a way to not be cut off (since it's very annoying), and it seems like figuring out and correcting these errors will also fix the second problem. # ------- pf.conf skeleton for server # # --------------- MACRO Section ----------------- EXT_IF=3D"fxp0" PING =3D "echoreq" # --- allowed incoming services initiated by clients TCP_IN =3D "{ 3000, ssh, ftp, smtp, domain, pop3, imap, http, https, 3690, 5001, 5002, 5003, 5004, 5005 }" UDP_IN =3D "{ domain, 3690 }" # --- allowed services initiated by server TCP_OUT =3D "{ ssh, smtp, ftp, domain, http, https, ntp, 5999 }" UDP_OUT =3D "{ domain, ntp }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF # --------- TRAFFIC NORMALIZATION ---------------- scrub in all # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D INC= OMING =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # --- UDP pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D OUT= GOING =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pf.conf On 8/23/05, Alexander Leidinger wrote: > Stephen Major wrote: >=20 > > The issue he is having I had the exact same problems, as soon as I chan= ged > > my config to the one below poof no more problems. You can set your fire= wall > > however you want. I was just saying what gets rid of the problem he is > > having with ssh. >=20 > I wasn't commenting the ssh issue, since it isn't clear why the problem > exists. At least I haven't seen a problem analysis where the cause of thi= s > was shown. Maybe I missed it. So your posting may be the right solution o= r > not. I don't know yet, and I don't care about this in this mail, since I > wasn't talking about the ssh issue (see below). >=20 > > So instead of ripping apart what I have said why do you not provide a b= etter > > solution to the original question asked. >=20 > I wasn't ripping apart what you said. I just wanted to be helpful and sha= re a > little bit of knowledge. You're mixing stateful with non-stateful rules a= nd > this may result in unwanted packets traveling through the firewall. I > thought you (and maybe others) may be interested in this. >=20 > BTW.: in some environments this is a hole in the firewall and needs to be > fixed, so one shouldn't use this part of your example. Since the security > mailinglist is in the CC, we can't let this problem be uncommented. >=20 > Another helpful suggestion: Please don't quote everything and please writ= e > your comments below the parts where they belong. This is common behavior = in > the FreeBSD lists and doing the opposide will result in less (useful) > responses from some members of the lists (because it makes the mail harde= r > to read and people may decide to not spend the time to read the mail and > point out problem solutions or small bugs in your offering of a solution)= . >=20 > Bye, > Alexander. >=20 > -- > http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 > http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 > To add insult to injury. > -- Phaedrus >=20 >=20 >