RE: Security warning with sshd
From: Alexander Leidinger (Alexander_at_Leidinger.net)
Date: 08/23/05
- Previous message: Dag-Erling Smørgrav: "Re: pam_radius fail open?"
- In reply to: Stephen Major: "RE: Security warning with sshd"
- Next in thread: Stephen Major: "RE: Security warning with sshd"
- Reply: Stephen Major: "RE: Security warning with sshd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Aug 2005 12:06:30 +0200 To: Stephen Major <smajor@gmail.com>
Stephen Major <smajor@gmail.com> wrote:
> This is due to a mis-configured firewall. If you are using IPFW there are
> many tutorials out there that tell you to do the wrong thing. And almost all
> of them contradict each other. Below is a basic script that only allows in
> and out SSH sessions and blocks all the garbage. Of coarse you must add any
> other services you need. The key here is that you allow connections from any
> to any established. Then on all outgoing tcp connections be sure to use the
> setup keep-state flags. The keep-state flag puts the rule into the dynamic
> rules table. Then the allow connections from any to any established allows
> already established connections to flow without going through the ruleset
> again. When I did this the error messages you are now experiencing went
> away.
I'm *dis*allowing established connections in my firewall, and everything
works as expected. You just need to expect the right thing. :-)
"established" is a non-stateful filter rule, so it matches on the
presence/absence of some TCP flags. I can't get to the ipfw statistics yet,
but tere are a lot of established packets which are rejected. Needless to
say that there's normal traffic (ssh, https, smtp, imaps, ...) which goes
through the firewall just well.
> ### check the traffic's state
> $ipfwcmd $flags add 00500 check-state
Here you have the statefull equivalent of the "established" rule, so every
successfully setup connection ("keep-state") already passes because of this
rule.
> $ipfwcmd $flags add 00501 allow tcp from any to any established
Here you can switch to "reject" or "deny" instead of allowing it. Everything
should just continue to work (if it doesn't, most likely you forgot a
"keep-state" somewhere). With this a reconfiguration of the firewall results
in dropping established connections.
> ###### outbound section ######
>
> ### Allow out ssh
> $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif
> setup keep-state
What are you trying to do here? Outgoing connections from ssh clients have a
src port above 1024.
Bye,
Alexander.
-- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 Avoid strange women and temporary variables. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Dag-Erling Smørgrav: "Re: pam_radius fail open?"
- In reply to: Stephen Major: "RE: Security warning with sshd"
- Next in thread: Stephen Major: "RE: Security warning with sshd"
- Reply: Stephen Major: "RE: Security warning with sshd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
