From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 02:47:10 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC78816A400 for ; Thu, 6 Apr 2006 02:47:09 +0000 (UTC) (envelope-from iqgrande@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C91243D45 for ; Thu, 6 Apr 2006 02:47:09 +0000 (GMT) (envelope-from iqgrande@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so53057wra for ; Wed, 05 Apr 2006 19:47:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=XqBZ3iPiAIKT1J7SqL7EkekZoOW9OZLG0G3Wt2J2EI9JbE8Y5hqhoBRT5GNr/OcoKj74SmWIEb3p6r2Wa74IZ23c/C73O2ZcxGlRatXR+Umcq0B23RkC4CgoLWEtuo750vYe5CbKLff67qIc8dYKb7dPgA26TBnwdLvCsIT5DOc= Received: by 10.54.80.5 with SMTP id d5mr709129wrb; Wed, 05 Apr 2006 19:47:08 -0700 (PDT) Received: from ?192.168.0.5? ( [67.191.187.35]) by mx.gmail.com with ESMTP id 11sm2077222wrl.2006.04.05.19.47.08; Wed, 05 Apr 2006 19:47:08 -0700 (PDT) In-Reply-To: <200604052208.08520.ean@istop.com> References: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com> <200604052208.08520.ean@istop.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <9D26CBF7-6052-40AA-A7AA-8B47B9EE8E91@gmail.com> Content-Transfer-Encoding: 7bit From: "Anthony M. Agelastos" Date: Wed, 5 Apr 2006 22:47:06 -0400 To: Ean Kingston X-Mailer: Apple Mail (2.749.3) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 02:47:10 -0000 Not just that, but it doesn't appear to be logging the events, even after I added net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5 to /etc/sysctl.conf and firewall_logging="YES" into /etc/rc.conf, i see no updates to /var/log/security after the ssh attempt failed. What am I doing wrong here? Thanks again everyone for all of your help. On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote: > You neglected to include the 'add' in your first fwcmd. > > You may want to try something simple to start with. I haven't used > ipfw in a > while so hopefully my syntax is still good. Here is a simple > starting point: > > # Allow person SSH access > mip="xxx.xxx.xxx.xxx" # IP Address of person > ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection > to ssh > ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond > > I think all you really need is this: > > # Allow setup of incoming ssh > ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup > > Since the rest of it should be taken care of by the rest of the > 'client' ipfw > setup. > > On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote: >> Hello everyone, >> >> Allow me to preface my problem by saying that I am very ignorant when >> it comes to networking. I do apologize if this is trivial. In any >> event, I enabled the "client" ifpw firewall located in /etc/ >> rc.firewall. This appears to work well for my needs... except for one >> additional item. I need someone outside of my network to have SSH >> access to my machine. I know his/her IP address. So, I have added >> some additional items to rc.firewall for this. Here is what I added. >> >> # Allow person SSH access >> mip="xxx.xxx.xxx.xxx" >> ${fwcmd} allow tcp from any to any 22 out setup keep-state >> ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- >> addr 2 >> >> I have tried many, many differing variations of this from items I >> have found online. I cannot get any of them to work. My network setup >> is as follows >> >> internet -> cable modem -> netgear router -> freebsd 6.1-prerelease >> >> This user can SSH into my machine when I set the firewall to "open". >> Any ideas? >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > -- > Ean Kingston, BSc, CISSP, ARO > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org"