From owner-freebsd-questions@FreeBSD.ORG Wed Oct 11 23:47:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17AFC16A403 for ; Wed, 11 Oct 2006 23:47:11 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95BEC43D5A for ; Wed, 11 Oct 2006 23:47:06 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-2) with ESMTP id k9BNki91008173 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Oct 2006 02:46:45 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.8/8.13.8) with ESMTP id k9BNlL2e084597; Thu, 12 Oct 2006 02:47:21 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.8/8.13.8/Submit) id k9BNlKMg084596; Thu, 12 Oct 2006 02:47:20 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 12 Oct 2006 02:47:20 +0300 From: Giorgos Keramidas To: Spiros Papadopoulos Message-ID: <20061011234720.GA84405@gothmog.pc> References: <20061011220815.GA83773@gothmog.pc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.591, required 5, AWL -0.19, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 23:47:11 -0000 On 2006-10-12 00:53, Spiros Papadopoulos wrote: > I started yesterday playing with it / testing it, but since i > want to do most of the work remotely, i stuck on this rule and > feel like keep looking until i find the solution. I paste the > whole script here just in case something else is wrong... Here > is my ipfw.rules file: > > /** Sorry for the delay. In the meanwhile, just before sent the > mail something else happened. Taking in account what you told > me about the "state" keyword, i added it to the rule 300. Then > i could not connect at all. I tried to take it off again, but > surprisingly it still doesn't allow any connections at all (not > even the user this time), hmmm... I am sending it as it was > initially, which from yesterday until my first e-mail it was > working as described previously...Now also when i run the > script with the "allowall" option gives me problems, when it > was working before. I can ping the machine and get replies but > i cannot ssh to it. It seems that i am doing something wrong > but cannot identify where */ > > #!/bin/sh > > # rules commmand prefix > addcmd="/sbin/ipfw -q add" > > # and the interface > if="xl0" > > # details of this computer > ip="192.168.1.199" > net="192.168.1.0" > mask="255.255.255.0" > bcast="192.168.1.255" > > nic="sk0" > ks="keep-state" > > # Flush out the list > /sbin/ipfw -q -f flush > > if [ "$1" = "allowall" ] > then > ${addcmd} 100 allow all from any to any via ${nic} > exit 0 > else > # Only in rare cases do you want to change these rules > ${addcmd} 50 allow all from any to any via lo0 > ${addcmd} 100 deny all from any to 127.0.0.0/8 > ${addcmd} 150 deny ip from 127.0.0.0/8 to any These look ok. > # At the moment don't allow it > #${addcmd} 400 allow all from ${ip} to ${net}:${mask} > #${addcmd} 500 allow all from ${net}:${mask} to ${ip} Not sure why these are needed (but they are commented out). > # Allow only specific stuff and maintain the firewall for as long > # as needed to become tough enough > > # check state and keep it > ${addcmd} 200 check-state > > ${addcmd} 210 allow tcp from me to any setup ${ks} > ${addcmd} 211 allow udp from me to any ${ks} > > ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 > ${addcmd} 212 allow icmp from me to any > > # Allow Traffic to my ISP DNS server > ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} > ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > > # Allow ssh from anywhere > #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > ${ks} > #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} > setup > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} > # Everything else is denied > ${addcmd} 65535 deny all from any to ${ip} > exit 0 > fi You seem to be missing a 'setup' keyword in the ssh rule :-/ I just loaded your own ruleset (with ${ip} and ${nic} set to local values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as I can tell: ,---------------------------------------------------------------- | giorgos@gothmog:/home/giorgos$ su - | Password: ******** | root@gothmog:/root# ipfw -d show | 00050 168 30828 allow ip from any to any via lo0 | 00100 0 0 deny ip from any to 127.0.0.0/8 | 00150 0 0 deny ip from 127.0.0.0/8 to any | 00200 0 0 check-state | 00210 881 129402 allow tcp from me to any setup keep-state | 00211 8 965 allow udp from me to any keep-state | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 | 00212 0 0 allow icmp from me to any | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state | 65535 154 35966 deny ip from any to any | ## Dynamic rules (12): | root@gothmog:/root# `---------------------------------------------------------------- The only changes I made are: * Use 'any' instead of xx.xxx.x.xx as the UDP address. * Change ${ip} to my own address * Change ${nic} to my own interface name I can connect to other hosts and ssh back into my workstation with this ruleset :-/ Sorry, but I'm not sure why in your case this fails to work.