On 12/10/06, Giorgos Keramidas <[EMAIL PROTECTED]> wrote:
On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote:
> I started yesterday playing with it / testing it, but since i
> want to do most of the work remotely, i stuck on this rule and
> feel like keep looking until i find the solution. I paste the
> whole script here just in case something else is wrong... Here
> is my ipfw.rules file:
>
> /** Sorry for the delay. In the meanwhile, just before sent the
> mail something else happened. Taking in account what you told
> me about the "state" keyword, i added it to the rule 300. Then
> i could not connect at all. I tried to take it off again, but
> surprisingly it still doesn't allow any connections at all (not
> even the user this time), hmmm... I am sending it as it was
> initially, which from yesterday until my first e-mail it was
> working as described previously...Now also when i run the
> script with the "allowall" option gives me problems, when it
> was working before. I can ping the machine and get replies but
> i cannot ssh to it. It seems that i am doing something wrong
> but cannot identify where */
>
> #!/bin/sh
>
> # rules commmand prefix
> addcmd="/sbin/ipfw -q add"
>
> # and the interface
> if="xl0"
>
> # details of this computer
> ip="192.168.1.199"
> net="192.168.1.0"
> mask="255.255.255.0"
> bcast="192.168.1.255"
>
> nic="sk0"
> ks="keep-state"
>
> # Flush out the list
> /sbin/ipfw -q -f flush
>
> if [ "$1" = "allowall" ]
> then
> ${addcmd} 100 allow all from any to any via ${nic}
> exit 0
> else
> # Only in rare cases do you want to change these rules
> ${addcmd} 50 allow all from any to any via lo0
> ${addcmd} 100 deny all from any to 127.0.0.0/8
> ${addcmd} 150 deny ip from 127.0.0.0/8 to any
These look ok.
> # At the moment don't allow it
> #${addcmd} 400 allow all from ${ip} to ${net}:${mask}
> #${addcmd} 500 allow all from ${net}:${mask} to ${ip}
Not sure why these are needed (but they are commented out).
They are meant to allow all traffic from net 192.168.1.0 and were
commented out temporarily. I just sent the script as it was.
> # Allow only specific stuff and maintain the firewall for as long
> # as needed to become tough enough
>
> # check state and keep it
> ${addcmd} 200 check-state
>
> ${addcmd} 210 allow tcp from me to any setup ${ks}
> ${addcmd} 211 allow udp from me to any ${ks}
>
> ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11
> ${addcmd} 212 allow icmp from me to any
>
> # Allow Traffic to my ISP DNS server
> ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic}
> ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic}
>
> # Allow ssh from anywhere
> #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup
> ${ks}
> #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks}
> setup
> ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks}
> # Everything else is denied
> ${addcmd} 65535 deny all from any to ${ip}
> exit 0
> fi
You seem to be missing a 'setup' keyword in the ssh rule :-/
I just loaded your own ruleset (with ${ip} and ${nic} set to local
values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as
I can tell:
,----------------------------------------------------------------
| [EMAIL PROTECTED]:/home/giorgos$ su -
| Password: ********
| [EMAIL PROTECTED]:/root# ipfw -d show
| 00050 168 30828 allow ip from any to any via lo0
| 00100 0 0 deny ip from any to 127.0.0.0/8
| 00150 0 0 deny ip from 127.0.0.0/8 to any
| 00200 0 0 check-state
| 00210 881 129402 allow tcp from me to any setup keep-state
| 00211 8 965 allow udp from me to any keep-state
| 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11
| 00212 0 0 allow icmp from me to any
| 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0
| 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0
| 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22
keep-state
| 65535 154 35966 deny ip from any to any
| ## Dynamic rules (12):
| [EMAIL PROTECTED]:/root#
`----------------------------------------------------------------
The only changes I made are:
* Use 'any' instead of xx.xxx.x.xx as the UDP address.
* Change ${ip} to my own address
* Change ${nic} to my own interface name
I can connect to other hosts and ssh back into my workstation
with this ruleset :-/
Sorry, but I'm not sure why in your case this fails to work.
Now this is strange. I will try again tomorrow evening more carefully
and i will post any results.
Initially i sent the mail because of the failure to su as root (as
described also in that post i referenced) after i was logging in as
normal user canonically. So it was working as you said.
But can you su to root after connecting?
Sorry i will not be able to reply again tonight
Thanks
Spiros Papadopoulos
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"