From owner-freebsd-questions@FreeBSD.ORG Fri Mar 26 08:02:22 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D32FA1065673 for ; Fri, 26 Mar 2010 08:02:22 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id 8D30C8FC14 for ; Fri, 26 Mar 2010 08:02:22 +0000 (UTC) Received: (qmail 3612 invoked by uid 89); 26 Mar 2010 08:02:21 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 26 Mar 2010 08:02:21 -0000 Received: from 216.241.170.11 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Fri, 26 Mar 2010 02:02:21 -0600 Message-ID: <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net> In-Reply-To: <4BAC59D4.8050605@yoafrica.com> References: <4BAC59D4.8050605@yoafrica.com> Date: Fri, 26 Mar 2010 02:02:21 -0600 From: "Peter" To: "Tongai. T Zimbiti" User-Agent: SquirrelMail/1.4.20-RC2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and ssh problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Mar 2010 08:02:23 -0000 > Hi guys, > > I have searched everywhere and failed to find a solution, hence I write > you. > I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 > UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > amd64 > together with ipfw. The problem I have is this, if I am on the box I can > restart my firewall with no problem, but when I log in remotely and > restart the firewall for reason I am locked out and can not ssh into it. > > Below is the messages log: > Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a > Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert > loadable, nat loadable, rule-based forwarding disabled, default to deny, > logging disabled > Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP > Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) > Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon > Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 > Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 > Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed > Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN > Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied > Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP > > Here is a few lines from my /etc/firewall_rules > > # vim: set syntax=pf : > > -f flush > > # Let me talk out > add 100 allow all from me to any out keep-state > add 101 allow icmp from any to any via any > add 102 allow udp from any to any 33434-33523 > > # Deal with loopback > #add 1000 allow all from any to any via lo0 > add 1001 deny ip from any to 127.0.0.0/8 > add 1002 deny ip from 127.0.0.0/8 to any > > # Allow established and fragmented sessions > add 2000 allow tcp from any to any established > add 2001 allow ip from any to any frag > add 2002 check-state > add 2003 allow icmp from any to any > > > I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf > > please help > > > regards > > > Tongai ipfw -f flush - deletes all rules except the default which is usually 'deny from any to any' As soon as that gets processed, your sshd connection is killed as seen in the message up there: sshd[829]: fatal: Write failed: Permission denied With ssh dead, your shell is terminated and the rest of the script is never ran, so you are stuck with a firewall that did not get any rules added to it. Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' is what I've usually done. or my favorite is to do the firewall from 'local console' using 'watch -W v4' so even if ssh is killed, the console is up to finish up the script. [ this works great for 'buildworld' too where I want to start it, pack my laptop and and leave, reconnecting later ] With quiet mode, ssh is not sending anything back, so the connection is not terminated. ]Peter[