From owner-freebsd-questions@FreeBSD.ORG Fri Mar 26 10:11:27 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5161B1065674 for ; Fri, 26 Mar 2010 10:11:27 +0000 (UTC) (envelope-from tongai@yoafrica.com) Received: from ns2.yoafrica.com (ns2.yoafrica.com [66.135.41.73]) by mx1.freebsd.org (Postfix) with ESMTP id D41CE8FC19 for ; Fri, 26 Mar 2010 10:11:26 +0000 (UTC) Received: from zwsmtp2.yoafrica.com ([41.190.32.2]) by ns2.yoafrica.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1Nv6VK-0008Hd-4Z; Fri, 26 Mar 2010 12:11:03 +0200 Received: from [196.44.176.58] (helo=cafemol.yoafrica.com) by zwsmtp2.yoafrica.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Nv6Sw-000Gul-CH; Fri, 26 Mar 2010 12:09:16 +0200 Received: from zion.yoafrica.com ([196.44.177.43]) by cafemol.yoafrica.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Nv6SX-0006SQ-TI; Fri, 26 Mar 2010 12:08:09 +0200 Message-ID: <4BAC8786.6020004@yoafrica.com> Date: Fri, 26 Mar 2010 12:08:06 +0200 From: "Tongai. T Zimbiti" User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Peter References: <4BAC59D4.8050605@yoafrica.com> <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net> In-Reply-To: <234590d29118c497875b08b14aea2560.squirrel@pop.pknet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and ssh problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Mar 2010 10:11:27 -0000 Thanks Peter, will give that a try. regards Tongai Peter wrote: >> Hi guys, >> >> I have searched everywhere and failed to find a solution, hence I write >> you. >> I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 >> UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC >> amd64 >> together with ipfw. The problem I have is this, if I am on the box I can >> restart my firewall with no problem, but when I log in remotely and >> restart the firewall for reason I am locked out and can not ssh into it. >> >> Below is the messages log: >> Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a >> Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert >> loadable, nat loadable, rule-based forwarding disabled, default to deny, >> logging disabled >> Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP >> Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1) >> Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon >> Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001 >> Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0 >> Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed >> Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN >> Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied >> Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP >> >> Here is a few lines from my /etc/firewall_rules >> >> # vim: set syntax=pf : >> >> -f flush >> >> # Let me talk out >> add 100 allow all from me to any out keep-state >> add 101 allow icmp from any to any via any >> add 102 allow udp from any to any 33434-33523 >> >> # Deal with loopback >> #add 1000 allow all from any to any via lo0 >> add 1001 deny ip from any to 127.0.0.0/8 >> add 1002 deny ip from 127.0.0.0/8 to any >> >> # Allow established and fragmented sessions >> add 2000 allow tcp from any to any established >> add 2001 allow ip from any to any frag >> add 2002 check-state >> add 2003 allow icmp from any to any >> >> >> I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf >> >> please help >> >> >> regards >> >> >> Tongai >> > > ipfw -f flush - deletes all rules except the default which is usually > 'deny from any to any' > > As soon as that gets processed, your sshd connection is killed as seen in > the message up there: > sshd[829]: fatal: Write failed: Permission denied > With ssh dead, your shell is terminated and the rest of the script is > never ran, so you are stuck with a firewall that did not get any rules > added to it. > > Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3' > is what I've usually done. > > or my favorite is to do the firewall from 'local console' using 'watch -W > v4' so even if ssh is killed, the console is up to finish up the script. > [ this works great for 'buildworld' too where I want to start it, pack my > laptop and and leave, reconnecting later ] > > With quiet mode, ssh is not sending anything back, so the connection is > not terminated. > > ]Peter[ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >