Date: Thu, 12 Oct 2006 21:22:55 +0100 From: "Spiros Papadopoulos" <spap13@googlemail.com> To: vladone <vladone@spaingsm.com> Cc: ipfw@freebsd.org Subject: Re: Problems with ipfw and ssh Message-ID: <dab71e150610121322s7366a685veed68fac640dc4ce@mail.gmail.com> In-Reply-To: <116110828.20061012220055@spaingsm.com> References: <dab71e150610111453m39c6bdb8ia846b3c4b39c4e08@mail.gmail.com> <116110828.20061012220055@spaingsm.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your replies, On 12/10/06, *Chris* <sales@webignite.net> wrote: >If you have your kernel set to deny all by default, you can set a rule number >65534 to allow any to any >as rule 65535 will deny any to any >Then work your way back from there. Could you please make the above last part of your though more clear for me? I already have done what you said and i can su normally. So there is definitely something that must be allowed before which i am not aware of and from the messages and behaviour i get i cannot identify. On 12/10/06, vladone <vladone@spaingsm.com> wrote: > > Hello Spiros, > > Thursday, October 12, 2006, 12:53:28 AM, you wrote: > > > Hi, > > > I am trying to configure a firewall using ipfw for a machine running > FreeBSD > > 5.4. > > Without NAT. > > > I am nearly a newbie on this (since i never had time until now..) but > still > > i believe i understand exactly the > > concepts and what needs to be done. > > Except the manual page and chapter 26.1 in the handbook I am using good > > references such as: > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO > > > I need to connect remotely to the machine using ssh and this is where i > get > > the problem: > > > Initially i can connect properly using a normal user account. > > When later i am trying to su to root it does nothing and the connection > > closes. > > > I have ipfw enabled in the kernel to deny everything by default. > > I have used both (one at a time) the following rules concerning ssh, in > > /etc/ipfw.rules > > and also other combinations, such as taking off setup and keep-state etc > etc > > which would then make my firewall stateless as far as i understood, > which is > > something i don't want anyway. > > > ${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > keep-state > > - > > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh keep-state > > > In a first investigation (not thorough) i found this post: > > http://www.freebsdforums.org/forums/showthread.php?t=21876 > > where from, i cannot realize what is wrong or how to fix this. > > > I run the sshd in debug mode and below is the portion, for when i am > trying > > to su to root > > > /* sshd -d */ > > Write failed: Permission denied > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: do_cleanup > > debug1: PAM: cleanup > > debug1: session_pty_cleanup: session 0 release /dev/ttyp7 > > > And here are related logs: > > > /* line from /var/log/messages */ > > Oct 11 20:25:54 username sshd[26251]: fatal: Write failed: Permission > denied > > > /* /var/log/auth.log */ > > Sep 26 11:17:34 username sshd[50073]: Connection from xxx.xxx.xxx.xxport > > 1545 > > Sep 26 11:17:46 username sshd[50073]: Accepted keyboard-interactive/pam > for > > user from xxx.xxx.xxx.xx port 1545 ssh2 > > Sep 26 10:17:49 username su: user to root on /dev/ttyp4 > > Sep 26 11:17:51 username sshd[50068]: Read error from remote host > > xxx.xxx.xxx.xx: Connection reset by peer > > Sep 26 13:29:40 username sshd[50076]: Read error from remote host > > xxx.xxx.xxx.xx: Operation timed out > > > Is it trying to write to a > > socket? I cannot see what is trying to do and the permission is denied > > (of course maybe it is in front of me..but..) > > Could anyone please advice? > > > Thanks in advance > > Spiros > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > > "freebsd-ipfw-unsubscribe@freebsd.org" > Isn't very clear. U can connect, and then when try to switch to root, > your connection is lost? Yes It is not doing anything and gives me the message i mentioned earlier Or after some inactivity? > Try firs to leave ipfw open, and test ssh to be shure that this one > work right. Then use ipfw, i think that the right form for what u > want is (acording with documentation): > add 1000 check-state > add 2000 allow tcp from any to any 22 in setup keep-state I have used my laptop with the same fbsd version and sshd for months and I am sure it works if ipfw is off. Also it works when adding the rule mentioned above I have tried to capture the packets coming in and out with tcpdump just before and after the permission denied mesg, but I suppose i could not "see" any blocked ones. Other small changes to the existing rules made things worst..not better. I am still not sure what it's trying to do and is denied and i have in mind the reply i got yesterday that it worked as is in a fbsd7.0. I have a second machine running the same fbsd 5.4 (but amd64) version which is next to test. I was expecting this to be easier and solved by now... -- > Best regards, > vladone mailto:vladone@spaingsm.com > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to " freebsd-ipfw-unsubscribe@freebsd.org" > Thanks Spiros Papadopoulos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dab71e150610121322s7366a685veed68fac640dc4ce>