From owner-freebsd-questions@FreeBSD.ORG Wed Aug 24 08:30:10 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B56716A420; Wed, 24 Aug 2005 08:30:10 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBF8E43D55; Wed, 24 Aug 2005 08:30:08 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5EB74.dip.t-dialin.net [84.165.235.116]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.1/8.13.1) with ESMTP id j7O8MPgB056404; Wed, 24 Aug 2005 10:22:40 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (localhost [127.0.0.1]) by Andro-Beta.Leidinger.net (8.13.3/8.13.3) with ESMTP id j7O8T9wK009994; Wed, 24 Aug 2005 10:29:09 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from 141.113.101.31 ([141.113.101.31]) by netchild.homeip.net (Horde MIME library) with HTTP for ; Wed, 24 Aug 2005 10:29:09 +0200 Message-ID: <20050824102909.c370l4o9dcs8sog0@netchild.homeip.net> X-Priority: 3 (Normal) Date: Wed, 24 Aug 2005 10:29:09 +0200 From: Alexander Leidinger To: Pat Maddox References: <430b138a.7c0e796e.1155.547a@mx.gmail.com> <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> <810a540e05082315273c897618@mail.gmail.com> In-Reply-To: <810a540e05082315273c897618@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) / FreeBSD-4.11 X-Virus-Scanned: by amavisd-new Cc: Stephen Major , remko@freebsd.org, FreeBSD Questions Subject: Re: Security warning with sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 08:30:10 -0000 Pat Maddox wrote: > Hey guys, thanks for the help so far. I'm going to post this to the > freebsd-pf list to see if anyone has any ideas...but I'm using PF, and > here's the config. Hopefully you can take a look and see what the > problem may be. As I said earlier, I'm not positive why I'm getting > those errors, but I believe it's because my SSH connection is getting > cut off whenever I enable the firewall. I've also been looking for a > way to not be cut off (since it's very annoying), and it seems like > figuring out and correcting these errors will also fix the second > problem. You have to enable the firewall before you use ssh. A stateful firewall can't know about connections which get setup before the firewall is started. Since the firewall starts with a clean state, it has to assume that no connection is valid and blocks every already established traffic. So the behavior you see is what you requested from the system by starting the firewall after starting a ssh session. There's no need to be scared, it's not a security flaw, but you have to change your expectations. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 Don't you feel more like you do now than you did when you came in?