Thanks Peter,
will give that a try.
regards
Tongai
Peter wrote:
Hi guys,
I have searched everywhere and failed to find a solution, hence I write
you.
I have installed 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08
UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
amd64
together with ipfw. The problem I have is this, if I am on the box I can
restart my firewall with no problem, but when I log in remotely and
restart the firewall for reason I am locked out and can not ssh into it.
Below is the messages log:
Mar 25 14:51:04 panadine kernel: Trying to mount root from ufs:/dev/ad4s1a
Mar 25 14:51:04 panadine kernel: ipfw2 (+ipv6) initialized, divert
loadable, nat loadable, rule-based forwarding disabled, default to deny,
logging disabled
Mar 25 14:51:06 panadine kernel: ae0: link state changed to UP
Mar 25 14:51:16 panadine ntpd[645]: ntpd 4.2.4p5-a (1)
Mar 25 14:51:17 panadine nrpe[698]: Starting up daemon
Mar 25 14:51:25 panadine ntpd[646]: kernel time sync status change 2001
Mar 25 14:51:32 panadine su: systz to root on /dev/pts/0
Mar 25 15:01:46 panadine kernel: ifa_del_loopback_route: deletion failed
Mar 25 15:01:46 panadine kernel: ae0: link state changed to DOWN
Mar 25 15:01:47 panadine sshd[829]: fatal: Write failed: Permission denied
Mar 25 15:01:48 panadine kernel: ae0: link state changed to UP
Here is a few lines from my /etc/firewall_rules
# vim: set syntax=pf :
-f flush
# Let me talk out
add 100 allow all from me to any out keep-state
add 101 allow icmp from any to any via any
add 102 allow udp from any to any 33434-33523
# Deal with loopback
#add 1000 allow all from any to any via lo0
add 1001 deny ip from any to 127.0.0.0/8
add 1002 deny ip from 127.0.0.0/8 to any
# Allow established and fragmented sessions
add 2000 allow tcp from any to any established
add 2001 allow ip from any to any frag
add 2002 check-state
add 2003 allow icmp from any to any
I have enabled net.inet.ip.fw.verbose=1 in /etc/sysctl.conf
please help
regards
Tongai
ipfw -f flush - deletes all rules except the default which is usually
'deny from any to any'
As soon as that gets processed, your sshd connection is killed as seen in
the message up there:
sshd[829]: fatal: Write failed: Permission denied
With ssh dead, your shell is terminated and the rest of the script is
never ran, so you are stuck with a firewall that did not get any rules
added to it.
Using quiet 'ipfw -q' or doing 'sh /etc/rc.firewall > /dev/null ; sleep 3'
is what I've usually done.
or my favorite is to do the firewall from 'local console' using 'watch -W
v4' so even if ssh is killed, the console is up to finish up the script.
[ this works great for 'buildworld' too where I want to start it, pack my
laptop and and leave, reconnecting later ]
With quiet mode, ssh is not sending anything back, so the connection is
not terminated.
]Peter[
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
