From owner-freebsd-bugs@FreeBSD.ORG Mon Jan 10 00:00:55 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E16816A4CE for ; Mon, 10 Jan 2005 00:00:55 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F217543D2D for ; Mon, 10 Jan 2005 00:00:54 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0A00sAD050317 for ; Mon, 10 Jan 2005 00:00:54 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0A00srt050316; Mon, 10 Jan 2005 00:00:54 GMT (envelope-from gnats) Date: Mon, 10 Jan 2005 00:00:54 GMT Message-Id: <200501100000.j0A00srt050316@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Giorgos Keramidas Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Giorgos Keramidas List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 00:00:55 -0000 The following reply was made to PR kern/75601; it has been noted by GNATS. From: Giorgos Keramidas To: Nick Hale Cc: bug-followup@freebsd.org Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3 Date: Mon, 10 Jan 2005 01:58:10 +0200 Nick Hale wrote: >Giorgos Keramidas wrote: >>On 2004-12-29 07:00, Joe wrote: >>> Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we >>> have trouble logging in to SSH. This only occurs when we have >>> ipfilter on. We have port 22 opened for people to SSH to and from. >>> If I type ipf -D and disable ipfilter, I can SSH into the box, yet as >>> soon as its active, I can't get in. It does not stop with SSH either, >>> if I try to access a web page from the box, I can not view it or it >>> takes literally about an hour to load. Again, when I turn off >>> ipfilter, the issue goes away, and when it is turned back on, the >>> problem appears again. >> >> Can we see your ruleset? > > It isn't a ruleset issue at this time as the following lines are in > the rules (at the top) > > pass in quick on em0 from to any > pass out quick on em0 from any to > > The ip address in those first couple of rules are my particular IP > address and it's still having issues. Hmmm, if these are the rules you have, then I think you have the `in' and `out' directions backwards. When you use a rule like: pass in quick on em0 from any to The "in" direction is packets sent FROM someone else TO you, that enter your network interface as "incoming" and parsed by your network stack as "input packets". The reverse applies to packets that YOU sent OUT-wards: pass out quick on em0 from to any Make sure the rest of your rules are not reversed in a similar manner, or (please) just post the output of `ipfstat -nio' as a followup to this problem report (masking any IP addresses you don't want us to see). - Giorgos