From owner-freebsd-questions@FreeBSD.ORG Thu Oct 12 00:42:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E4F816A412 for ; Thu, 12 Oct 2006 00:42:28 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B55D43D45 for ; Thu, 12 Oct 2006 00:42:27 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-2) with ESMTP id k9C0ftCi011320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Oct 2006 03:41:57 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.8/8.13.8) with ESMTP id k9C0gWxf086208; Thu, 12 Oct 2006 03:42:33 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.8/8.13.8/Submit) id k9C0gWuP086207; Thu, 12 Oct 2006 03:42:32 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 12 Oct 2006 03:42:32 +0300 From: Giorgos Keramidas To: Spiros Papadopoulos Message-ID: <20061012004232.GA86197@gothmog.pc> References: <20061011220815.GA83773@gothmog.pc> <20061011234720.GA84405@gothmog.pc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.591, required 5, AWL -0.19, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: Problems with ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 00:42:28 -0000 On 2006-10-12 01:31, Spiros Papadopoulos wrote: >On 12/10/06, Giorgos Keramidas wrote: >> ,---------------------------------------------------------------- >> | giorgos@gothmog:/home/giorgos$ su - >> | Password: ******** >> | root@gothmog:/root# ipfw -d show >> | 00050 168 30828 allow ip from any to any via lo0 >> | 00100 0 0 deny ip from any to 127.0.0.0/8 >> | 00150 0 0 deny ip from 127.0.0.0/8 to any >> | 00200 0 0 check-state >> | 00210 881 129402 allow tcp from me to any setup keep-state >> | 00211 8 965 allow udp from me to any keep-state >> | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 >> | 00212 0 0 allow icmp from me to any >> | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 >> | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 >> | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state >> | 65535 154 35966 deny ip from any to any >> | ## Dynamic rules (12): >> | root@gothmog:/root# >> `---------------------------------------------------------------- >> >> The only changes I made are: >> >> * Use 'any' instead of xx.xxx.x.xx as the UDP address. >> >> * Change ${ip} to my own address >> >> * Change ${nic} to my own interface name >> >> I can connect to other hosts and ssh back into my workstation >> with this ruleset :-/ >> >> Sorry, but I'm not sure why in your case this fails to work. > > Now this is strange. I will try again tomorrow evening more > carefully and i will post any results. > > Initially i sent the mail because of the failure to su as root > (as described also in that post i referenced) after i was > logging in as normal user canonically. So it was working as you > said. But can you su to root after connecting? Yes. See above. The `ipfw -d show' command shown there was after I looped using SSH from my workstation to another system and back again. > Sorry i will not be able to reply again tonight No problem. Take your time. There is definitely a logical explanation why this is happening, even if that explanation is `there is a bug in ipfw and 5.4' :)