Date: Wed, 14 Nov 2012 05:22:43 +0100 From: Polytropon <freebsd@edvax.de> To: Gary Kline <kline@thought.org> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: well, try here first... Message-ID: <20121114052243.ae6a24c4.freebsd@edvax.de> In-Reply-To: <20121114040908.GD16091@ethic.thought.org> References: <20121113052159.GA31404@ethic.thought.org> <20121113063952.5c9bfaa2.freebsd@edvax.de> <20121113075721.GB3359@ethic.thought.org> <20121113090812.97e1c6a1.freebsd@edvax.de> <20121113185040.GA2570@ethic.thought.org> <20121114023543.0a1737eb.freebsd@edvax.de> <20121114040908.GD16091@ethic.thought.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Nov 2012 20:09:08 -0800, Gary Kline wrote:
> On Wed, Nov 14, 2012 at 02:35:43AM +0100, Polytropon wrote:
> > > box. it's got a web interface and runs some flavor of firewall that
> > > I never studied. yuk.
> >
> > I assume your "HW firewall" protects you to the outside. Of
> > course it should allow SSH connections from the outside to
> > the "tao" box _if_ you want it that way.
>
>
> my netgear and pfSense setup surprised me this afternoon. the
> initial setup listed my internal IP as
>
> 10.47.0.114,
>
> but something I did changed the DHCP leases section to
>
> 10.47.0.113 .
>
> after that, I could ssh out and then ssh back to tao.
If you have the option of configuring the DHCP subsystem to
hand out IPs according to MAC addresses, that should make you
safe from reboots and _possible_ new IPs. (At least that's
how I've configured my home system so every device will get
the same IP, no matter how or when it requests one from the
DHCP server. It also includes certain port redirections so
a SSH request from external source will _always_ be directed
to the _correct_ machine on the LAN.)
> > But I was thinking about the firewall run by the Fedora OS
> > that might block SSH connections to "tao", no matter from
> > where they come, just as if you would have set up FreeBSD's
> > ipfw with the default to deny connections: without explicitely
> > enabling SSH connections the server cannot be reached, no
> > matter if it's running.
> >
>
> I havent used ipfw for many years. the most recent firewall I
> ran was on FBSD 5.X and was {i think} "pfw". I got quite good
> at it. I should learn more about plain "pf" and pfSense.
> do you know if pf/pfsense defaults to DENY incoming connections?
> that would explain a Lot!
That depends on the pre-configuration of the firewall on the
Linux side. From reading the article I've mentioned, I got the
impression that the firewall would deny SSH connections per
default, and that _you_ would have to enable it if you wanted
to use that service. That is comparable to OpenBSD's "service
disabled by default" policy. I'm still not sure if this idea
will get much love or understanding in Linux land where an
"do everything out of the box" experience seems to be very
important among some distributions. :-)
On FreeBSD, ipfw can DEFAULT_TO_DENY or DEFAULT_TO_ACCEPT, and you
have to specify your rules usually according to the chosen paradigm.
Of course, there are rules to achieve the same effect, even if in
the opposite paradigm.
> > > > > > The way _how_ to enable it depends on the distribution you're
> > > > > > using and is very different among the Linusi.
> > > > >
> > > > > rt., and this is fedora, my least fav distro. But I've always had
> > > > > trouble with ssh, even with FBSD.
> > > >
> > > > There is a nice summary on how to get the OpenSSH server
> > > > set up on Fedora:
> > > >
> > > > http://www.techotopia.com/index.php/Configuring_Fedora_Linux_Remote_Access_using_SSH
> > > >
> > > > Basically, it's about installing and enabling it. The article
> > > > also discusses how to enable configure the firewall properly.
> > > >
> > >
> > >
> > > thank you. I'll ck it out. also google other stuff if I have to.
> >
> > Check if the Techotopia article matches your version of Fedora.
> > It shows how to install and enable the SSH server and also
> > mentions the "built-in" firewall that has to be configured
> > to allow connections to that server.
>
>
> the URL you had was fedora-13; what I installed fedora-17.
> and just recently--maybe when I rebooted--i saw fedora-19[?]
> not sure... .
Then there's the possibility that things have changed. Even though
there should not be a massive or paradigm-wide shift in things, you
never know when using automated updating on Linux. Still the
instructions should be usable at least to identify the steps
involved and the tools to be used.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121114052243.ae6a24c4.freebsd>