From owner-freebsd-questions Wed Apr 18 9:34:53 2001 Delivered-To: freebsd-questions@freebsd.org Received: from tethys.valhalla.net (tethys.valhalla.net [195.26.32.112]) by hub.freebsd.org (Postfix) with ESMTP id CEB1D37B422 for ; Wed, 18 Apr 2001 09:34:49 -0700 (PDT) (envelope-from mark@tethys.valhalla.net) Received: by tethys.valhalla.net (Postfix, from userid 500) id 8F72C32E80; Wed, 18 Apr 2001 17:34:48 +0100 (BST) Date: Wed, 18 Apr 2001 17:34:48 +0100 From: Mark Drayton To: freebsd-questions@freebsd.org Subject: ssh and firewall problem Message-ID: <20010418173448.A8646@tethys.valhalla.net> Mail-Followup-To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi I'm just setting up a FreeBSD machine as a cable modem router and firewall for a friend. The firewall should be closed apart from ssh access. I've got the following rules (I took out the RFC 1918 rules when testing): dc0: outside - 213.105.xx.xx fxp0: inside - 192.168.0.254 The modem is accessible through 192.168.100.1, hence the allow rules. 00100 divert 8668 ip from any to any via dc0 00150 allow icmp from any to any 00200 allow ip from any to any out xmit dc0 00300 allow tcp from 192.168.100.1 to any in recv dc0 00300 allow tcp from any to 192.168.100.1 out xmit dc0 00400 allow ip from any to any via lo0 00400 deny ip from any to 127.0.0.0/8 00400 deny ip from 127.0.0.0/8 to any 00600 allow tcp from any to any established 00700 allow ip from any to any frag 00900 allow tcp from any to 213.105.xx.xx 22 setup 00900 allow tcp from any to 213.105.xx.xx 79 setup 01000 deny log logamount 100 tcp from any to any in recv dc0 setup 01100 allow tcp from any to any setup 01200 allow udp from 213.105.xx.xx to any 53 keep-state 65535 deny ip from any to any I can't ssh into the machine at all when the firewall is up. I'm getting these messages in the logs: Apr 18 16:54:23 keema sshd[18529]: fatal: Write failed: Permission denied and sometimes: Apr 18 16:54:23 keema natd[259]: failed to write packet back (Permission denied) The top error happens regardless of the divert rule, and the bottom one only with the divert rule. I've tried running an sshd on a high port (22222) but I can't get a prompt there either. I'm getting no ipfw connection denied entries, just these permission denied messages. I also enabled finger, which works fine. I'm assuming this is because an entire finger session is conducted with only one or two packets, whereas ssh has quite a complex setup which is somehow being broken by my firewall. With the firewall off ('open' in rc.conf) I can ssh in fine so it's not a problem with the cable modem company blocking access. Thanks, -- Mark Drayton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message