From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 09:48:06 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1E3216A4CE for ; Fri, 29 Apr 2005 09:48:06 +0000 (GMT) Received: from Neo-Vortex.net (203-173-19-223.dyn.iinet.net.au [203.173.19.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F32443D5E for ; Fri, 29 Apr 2005 09:48:01 +0000 (GMT) (envelope-from root@Neo-Vortex.net) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.net (8.13.1/8.12.10) with ESMTP id j3T9m089079295; Fri, 29 Apr 2005 19:48:00 +1000 (EST) (envelope-from root@Neo-Vortex.net) Date: Fri, 29 Apr 2005 19:47:59 +1000 (EST) From: Neo-Vortex To: Siddhartha Jain In-Reply-To: <4272011F.9040707@netmagicsolutions.com> Message-ID: <20050429194242.I78552@Neo-Vortex.net> References: <4272011F.9040707@netmagicsolutions.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 09:48:06 -0000 On Fri, 29 Apr 2005, Siddhartha Jain wrote: > I am facing two problems: > - SSH sessions timeout after a while In PuTTY or whatever other SSH client you use - enable sending of keepalive packets (for PuTTY - under connection settings) (not sure if this is cause of ipfw or what, but the tcp session is timing out) > - When I run "/sbin/ipfw -q -f flush" in the rules script all connection > get reset (and I am thrown out of the box). Yep, standard functionality, easy fix though: -- Start file /root/bin/fws -- #!/bin/sh fw > /root/fws-out 2>&1 & -- End File -- -- Start file /root/bin/fw -- #!/bin/sh ipfw="ipfw" # Flush Old Rules $ipfw -f flush # Tempoary rules to stop connections being killed when reloading rules $ipfw add 1 allow tcp from any to any established $ipfw add 2 allow udp from any to any - your rules go here (dont use rule 1 or 2 though) # Clean up tempoary rules used to stop connections being killed $ipfw delete 1 $ipfw delete 2 -- End File -- I use that all the time, mabe 1 out of 100 times it will kill a ssh session (only one that has irssi open cause of the time updating it kills it, i have it set to update every second though, so normally it'd be like 1 out of 500 or so) and even if it does, it still finishes loading the ruleset anyway so you can just ssh straight back in If you havn't guessed, you run /root/bin/fws - you can change it to whatever you want of course, also, the output is redirected to /root/fws-out - if you dont redirect it, it'll kill your ssh session - although it won't stop it loading the other rules ~Neo-Vortex