From owner-freebsd-questions@FreeBSD.ORG Tue Aug 23 12:16:12 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DC0C16A420 for ; Tue, 23 Aug 2005 12:16:12 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A44B43D5A for ; Tue, 23 Aug 2005 12:16:10 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so823870nzd for ; Tue, 23 Aug 2005 05:16:10 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:x-pgp-universal:from:to:cc:subject:date:mime-version:x-mailer:x-mimeole:in-reply-to:thread-index:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-transfer-encoding:content-type:message-id; b=ofMT/TRTYM6cKBBU/WXaKJJXN4ioypsS8vM30lCaFq1eTh3Ipcu8/Im8HC024QU8AuM9Ct2GnddQLapNmvxoZmJbjn1SGJInsowDCS6R0yglyWlIich0CGNqM4fmVeJ4D0FB91wp+LB6GFV+mpPAjpr2143r9qE2VCKoShgYIXY= Received: by 10.36.115.19 with SMTP id n19mr5322198nzc; Tue, 23 Aug 2005 05:16:10 -0700 (PDT) Received: from p3 ([24.22.147.185]) by mx.gmail.com with ESMTP id i5sm653471nzi.2005.08.23.05.16.09; Tue, 23 Aug 2005 05:16:10 -0700 (PDT) Received: from p3 by p3 (PGP Universal service); Tue, 23 Aug 2005 05:14:58 -0800 X-PGP-Universal: processed; by p3 on Tue, 23 Aug 2005 05:14:58 -0800 From: "Stephen Major" To: "'Alexander Leidinger'" Date: Tue, 23 Aug 2005 05:14:55 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 In-Reply-To: <20050823120630.q2tfbx2kg44w8o4s@netchild.homeip.net> Thread-Index: AcWnynurs+gIEzv3R02GY4jMvC/YyAAETfOQ X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Message-ID: <430b138a.7c0e796e.1155.547a@mx.gmail.com> Cc: freebsd-security@freebsd.org, remko@freebsd.org, 'Pat Maddox' , 'FreeBSD Questions' Subject: RE: Security warning with sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 12:16:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The issue he is having I had the exact same problems, as soon as I changed my config to the one below poof no more problems. You can set your firewall however you want. I was just saying what gets rid of the problem he is having with ssh. So instead of ripping apart what I have said why do you not provide a better solution to the original question asked. - -----Original Message----- From: Alexander Leidinger [mailto:Alexander@Leidinger.net] Sent: Tuesday, August 23, 2005 3:07 AM To: Stephen Major Cc: remko@freebsd.org; 'Pat Maddox'; freebsd-security@freebsd.org; 'FreeBSD Questions' Subject: RE: Security warning with sshd Stephen Major wrote: > This is due to a mis-configured firewall. If you are using IPFW there are > many tutorials out there that tell you to do the wrong thing. And almost all > of them contradict each other. Below is a basic script that only allows in > and out SSH sessions and blocks all the garbage. Of coarse you must add any > other services you need. The key here is that you allow connections from any > to any established. Then on all outgoing tcp connections be sure to use the > setup keep-state flags. The keep-state flag puts the rule into the dynamic > rules table. Then the allow connections from any to any established allows > already established connections to flow without going through the ruleset > again. When I did this the error messages you are now experiencing went > away. I'm *dis*allowing established connections in my firewall, and everything works as expected. You just need to expect the right thing. :-) "established" is a non-stateful filter rule, so it matches on the presence/absence of some TCP flags. I can't get to the ipfw statistics yet, but tere are a lot of established packets which are rejected. Needless to say that there's normal traffic (ssh, https, smtp, imaps, ...) which goes through the firewall just well. > ### check the traffic's state > $ipfwcmd $flags add 00500 check-state Here you have the statefull equivalent of the "established" rule, so every successfully setup connection ("keep-state") already passes because of this rule. > $ipfwcmd $flags add 00501 allow tcp from any to any established Here you can switch to "reject" or "deny" instead of allowing it. Everything should just continue to work (if it doesn't, most likely you forgot a "keep-state" somewhere). With this a reconfiguration of the firewall results in dropping established connections. > ###### outbound section ###### > > ### Allow out ssh > $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif > setup keep-state What are you trying to do here? Outgoing connections from ssh clients have a src port above 1024. Bye, Alexander. - -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 Avoid strange women and temporary variables. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQwsTQqKXvLS903/FAQr/wgf8C6OO/3Y3iMoP4KZo3KvYD9JwcffcPtKC dU3aeiGLYNpcJstUJLQ5TqjNg7fSjhGZ9f8cz5SneLY4KUny/PNLtRIc2r6dUyJ0 Du92KyQTdh8LTnExARcyIFnFpGCn0w83SVKIhmO7Ia6kQohLH2MhTr1EwJrZtry7 enG6E9FsZuBggjw7rp1J8N/pUfeof42igmg0ZLL4A3NQfTSZA0CKl6rX93rFVgc1 dSy9AOcC5QeVKXRbnFsIj5qoxjeHQvpQwtwQ1yXq9jwndGKBP49/nZXq0Yrs1Rvb qcsmmr/FRzdDjm3oTvocroajIPsd+8AkeI3s5mmvYa9CtSBGy3IiYQ== =Z+R6 -----END PGP SIGNATURE-----