From owner-freebsd-questions@FreeBSD.ORG Fri Mar 26 10:02:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C792106566C for ; Fri, 26 Mar 2010 10:02:35 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-fx0-f225.google.com (mail-fx0-f225.google.com [209.85.220.225]) by mx1.freebsd.org (Postfix) with ESMTP id 86A2D8FC1A for ; Fri, 26 Mar 2010 10:02:34 +0000 (UTC) Received: by fxm25 with SMTP id 25so157798fxm.3 for ; Fri, 26 Mar 2010 03:02:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=KbslrvGNxgrH/8VURC3YUoaLhs1sPDrzt8/pYdY9KAo=; b=Oo6Xzg25FW15trfYDXunZksqQuWpl0dj1of3nOrvN3PLqbTmSgs+hYQkY4T1b5ZpYB nI7z6ronNcrvJJDGajPoh6gpEUDg9q7PMWSCZYcNRM7rKgAObR7EmG0/BYeRO9Do+rU3 zsM8EiGGtnrPN8rbv8M63Wdl10Zbx2wp35Npc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Oldeys2tO6Vf0pa/uc6V+oCRBQr8ioqAuDPx+DQ4Ewv4C7MFMomEKBLonaHKJtrob8 nc5uzCKJR6FCax4H5OieTXDG1G/PJiQNF1S6jVNFugRAlGHpIAlDtA+N4WH3ygn/iokm xcD1gpg8esoHKQ1UXOBcu3jKO5whVlqaVhRnA= MIME-Version: 1.0 Received: by 10.239.164.199 with HTTP; Fri, 26 Mar 2010 03:02:33 -0700 (PDT) In-Reply-To: <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net> References: <4BAC59D4.8050605@yoafrica.com> <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net> Date: Fri, 26 Mar 2010 10:02:33 +0000 Received: by 10.239.183.147 with SMTP id u19mr67768hbg.106.1269597753224; Fri, 26 Mar 2010 03:02:33 -0700 (PDT) Message-ID: From: krad To: Peter Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Tongai. T Zimbiti" , freebsd-questions@freebsd.org Subject: Re: ipfw and ssh problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Mar 2010 10:02:35 -0000 On 26 March 2010 08:02, Peter wrote: > > Hi guys, > > > > I have searched everywhere and failed to find a solution, hence I write > > you. > > I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 > > UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > > amd64 > > together with ipfw. The problem I have is this, if I am on the box I can > > restart my firewall with no problem, but when I log in remotely and > > restart the firewall for reason I am locked out and can not ssh into it. > > > > Below is the messages log: > > Mar 25 14:51:04 panadine kernel: Trying to mount root from > ufs:/dev/ad4s1a > > Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert > > loadable, nat loadable, rule-based forwarding disabled, default to deny, > > logging disabled > > Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP > > Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) > > Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon > > Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 > > Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 > > Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed > > Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN > > Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission > denied > > Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP > > > > Here is a few lines from my /etc/firewall_rules > > > > # vim: set syntax=pf : > > > > -f flush > > > > # Let me talk out > > add 100 allow all from me to any out keep-state > > add 101 allow icmp from any to any via any > > add 102 allow udp from any to any 33434-33523 > > > > # Deal with loopback > > #add 1000 allow all from any to any via lo0 > > add 1001 deny ip from any to 127.0.0.0/8 > > add 1002 deny ip from 127.0.0.0/8 to any > > > > # Allow established and fragmented sessions > > add 2000 allow tcp from any to any established > > add 2001 allow ip from any to any frag > > add 2002 check-state > > add 2003 allow icmp from any to any > > > > > > I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf > > > > please help > > > > > > regards > > > > > > Tongai > > ipfw -f flush - deletes all rules except the default which is usually > 'deny from any to any' > > As soon as that gets processed, your sshd connection is killed as seen in > the message up there: > sshd[829]: fatal: Write failed: Permission denied > With ssh dead, your shell is terminated and the rest of the script is > never ran, so you are stuck with a firewall that did not get any rules > added to it. > > Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' > is what I've usually done. > > or my favorite is to do the firewall from 'local console' using 'watch -W > v4' so even if ssh is killed, the console is up to finish up the script. > [ this works great for 'buildworld' too where I want to start it, pack my > laptop and and leave, reconnecting later ] > > With quiet mode, ssh is not sending anything back, so the connection is > not terminated. > > ]Peter[ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > the default deny can be a pain, there are two ways around it i have used in the past. 1. Compile the kernel module with the the following options options IPFIREWALL_DEFAULT_TO_ACCEPT 2. Install screen open a screen session and run "ipfw -f ; ipfw add 1 allow all from any to any", the screen session is important as it will guarantee the completion of the command. Its also worth looking at pf, as its configuration is a lot easier than ipfw, especially nating. The macros and table functions are also very good way to right small compact rule sets.