Date: Fri, 26 Mar 2010 12:08:06 +0200 From: "Tongai. T Zimbiti" <tongai@yoafrica.com> To: Peter <fbsdq@peterk.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and ssh problem Message-ID: <4BAC8786.6020004@yoafrica.com> In-Reply-To: <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net> References: <4BAC59D4.8050605@yoafrica.com> <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Peter, will give that a try. regards Tongai Peter wrote: >> Hi guys, >> >> I have searched everywhere and failed to find a solution, hence I write >> you. >> I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 >> UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC >> amd64 >> together with ipfw. The problem I have is this, if I am on the box I can >> restart my firewall with no problem, but when I log in remotely and >> restart the firewall for reason I am locked out and can not ssh into it. >> >> Below is the messages log: >> Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a >> Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert >> loadable, nat loadable, rule-based forwarding disabled, default to deny, >> logging disabled >> Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP >> Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) >> Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon >> Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 >> Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 >> Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed >> Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN >> Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied >> Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP >> >> Here is a few lines from my /etc/firewall_rules >> >> # vim: set syntax=pf : >> >> -f flush >> >> # Let me talk out >> add 100 allow all from me to any out keep-state >> add 101 allow icmp from any to any via any >> add 102 allow udp from any to any 33434-33523 >> >> # Deal with loopback >> #add 1000 allow all from any to any via lo0 >> add 1001 deny ip from any to 127.0.0.0/8 >> add 1002 deny ip from 127.0.0.0/8 to any >> >> # Allow established and fragmented sessions >> add 2000 allow tcp from any to any established >> add 2001 allow ip from any to any frag >> add 2002 check-state >> add 2003 allow icmp from any to any >> >> >> I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf >> >> please help >> >> >> regards >> >> >> Tongai >> > > ipfw -f flush - deletes all rules except the default which is usually > 'deny from any to any' > > As soon as that gets processed, your sshd connection is killed as seen in > the message up there: > sshd[829]: fatal: Write failed: Permission denied > With ssh dead, your shell is terminated and the rest of the script is > never ran, so you are stuck with a firewall that did not get any rules > added to it. > > Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' > is what I've usually done. > > or my favorite is to do the firewall from 'local console' using 'watch -W > v4' so even if ssh is killed, the console is up to finish up the script. > [ this works great for 'buildworld' too where I want to start it, pack my > laptop and and leave, reconnecting later ] > > With quiet mode, ssh is not sending anything back, so the connection is > not terminated. > > ]Peter[ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BAC8786.6020004>