From owner-freebsd-questions@FreeBSD.ORG  Sun Jan 18 16:59:35 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E489F16A4CE
	for <FreeBSD-questions@freebsd.org>;
	Sun, 18 Jan 2004 16:59:34 -0800 (PST)
Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net
	[207.217.120.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D46EC43D39
	for <FreeBSD-questions@freebsd.org>;
	Sun, 18 Jan 2004 16:59:32 -0800 (PST)
	(envelope-from algould@datawok.com)
Received: from 22-15.lctv-b4.cablelynx.com ([24.204.22.15]
	helo=yoda.datawok.com)
	by stork.mail.pas.earthlink.net with asmtp (TLSv1:RC4-MD5:128)
	(Exim 3.33 #1)	id 1AiNlK-0002L0-00; Sun, 18 Jan 2004 16:59:30 -0800
From: "Andrew L. Gould" <algould@datawok.com>
To: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net>
Date: Sun, 18 Jan 2004 18:59:36 -0600
User-Agent: KMail/1.5.4
References: <200401181747.04419.algould@datawok.com>
	<200401190053.38351.Danovitsch@Vitsch.net>
In-Reply-To: <200401190053.38351.Danovitsch@Vitsch.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200401181859.36074.algould@datawok.com>
X-ELNK-Trace: ee791d459e3d6817d780f4a490ca69564776905774d2ac4baef4dae8a0564d019ce4baffac0d049a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
cc: FreeBSD-questions@FreeBSD.org
Subject: Re: ipfw rules for letting ssh requests in
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2004 00:59:35 -0000

On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
> On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
> > I can't seem to get the ipfw rules right for letting ssh clients access a
> > ssh server.  I can use ssh on the server to connect to the client; but if
> > I try to connect from the client to the server, the operation times out.
> >
> > I have my rules in /etc/ipfw.rules.  Executing 'ipfw show' displays all
> > of the rules as expected.  It also shows packets having been allowed at
> > rule 300 after an attempt to connect has been made.
> >
> > I have copied the top portion of /etc/ipfw.rules:
> >
> > #!/bin/sh
> >
> > # Andrew L. Gould's firewall rules.
> >
> > fwcmd="/sbin/ipfw -q"
> > ${fwcmd} -f flush
> >
> >
> > # Basic rules that should not be changed
> > ${fwcmd} add 00100 pass all from any to any via lo0
> > ${fwcmd} add 00110 deny all from any to 127.0.0.0/8
> > ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
> >
> >
> > # Allow specified service requests in
> > # ssh
> > ${fwcmd} add 00300 allow tcp from any to me 22
> > ${fwcmd} add 00301 allow udp from any to me 22
> >
> > Does anyone have any idea why the operation is timing out or what I have
> > done wrong?
>
> You forgot the packets in the other direction... This should do the trick :
>
> ${fwcmd} add 00300 allow tcp from any to me 22
> ${fwcmd} add 00301 allow tcp from me 22 to any
>
> grtz,
> Daan

I have the firewall configured to let anything out.  As noted above, I was 
able to connect from the server to the client using ssh.

Here's the entirety of /etc/ipfw.rules:

#!/bin/sh

# Andrew L. Gould's firewall rules.

fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush

${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any


# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow udp from any to me 22
# irc
${fwcmd} add 00302 allow tcp from any to me 194
${fwcmd} add 00303 allow udp from any to me 194
# auth (ident)
${fwcmd} add 00304 allow tcp from any to me 113
${fwcmd} add 00305 allow udp from any to me 113
# ircd
${fwcmd} add 00310 allow tcp from any to me 6667


# Allow TCP connections that were initiated locally
${fwcmd} add 00400 check-state

${fwcmd} add 00402 allow tcp from any to any out setup keep-state

# Allow DNS and DHCP activities
${fwcmd} add 00500 allow udp from any 53 to any in recv dc0
${fwcmd} add 00501 allow udp from any 67 to any 68 in recv dc0
${fwcmd} add 00502 allow udp from any to any out

# Allow ICMP activities
${fwcmd} add 00600 allow icmp from any to any icmptype 0
${fwcmd} add 00601 allow icmp from any to any icmptype 3
${fwcmd} add 00602 allow icmp from any to any icmptype 4
${fwcmd} add 00603 allow icmp from any to any icmptype 8
${fwcmd} add 00604 allow icmp from any to any icmptype 11 in

${fwcmd} add 00901 deny tcp from any to any in established

${fwcmd} add 65535 deny all from any to any
#############################################

Thanks,

Andrew Gould