RE: Security warning with sshd

• Previous message: Alexander Leidinger: "RE: Security warning with sshd"
• In reply to: Alexander Leidinger: "RE: Security warning with sshd"
• Next in thread: Alexander Leidinger: "RE: Security warning with sshd"
• Reply: Alexander Leidinger: "RE: Security warning with sshd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Alexander Leidinger'" <Alexander@Leidinger.net>
Date: Tue, 23 Aug 2005 05:14:55 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The issue he is having I had the exact same problems, as soon as I changed
my config to the one below poof no more problems. You can set your firewall
however you want. I was just saying what gets rid of the problem he is
having with ssh.

So instead of ripping apart what I have said why do you not provide a better
solution to the original question asked.

- -----Original Message-----
From: Alexander Leidinger [mailto:Alexander@Leidinger.net]
Sent: Tuesday, August 23, 2005 3:07 AM
To: Stephen Major
Cc: remko@freebsd.org; 'Pat Maddox'; freebsd-security@freebsd.org; 'FreeBSD
Questions'
Subject: RE: Security warning with sshd

Stephen Major <smajor@gmail.com> wrote:

> This is due to a mis-configured firewall. If you are using IPFW there are
> many tutorials out there that tell you to do the wrong thing. And almost
all
> of them contradict each other. Below is a basic script that only allows in
> and out SSH sessions and blocks all the garbage. Of coarse you must add
any
> other services you need. The key here is that you allow connections from
any
> to any established. Then on all outgoing tcp connections be sure to use
the
> setup keep-state flags. The keep-state flag puts the rule into the dynamic
> rules table. Then the allow connections from any to any established allows
> already established connections to flow without going through the ruleset
> again. When I did this the error messages you are now experiencing went
> away.

I'm *dis*allowing established connections in my firewall, and everything
works as expected. You just need to expect the right thing. :-)

"established" is a non-stateful filter rule, so it matches on the
presence/absence of some TCP flags. I can't get to the ipfw statistics yet,
but tere are a lot of established packets which are rejected. Needless to
say that there's normal traffic (ssh, https, smtp, imaps, ...) which goes
through the firewall just well.

> ### check the traffic's state
> $ipfwcmd $flags add 00500 check-state

Here you have the statefull equivalent of the "established" rule, so every
successfully setup connection ("keep-state") already passes because of this
rule.

> $ipfwcmd $flags add 00501 allow tcp from any to any established

Here you can switch to "reject" or "deny" instead of allowing it. Everything
should just continue to work (if it doesn't, most likely you forgot a
"keep-state" somewhere). With this a reconfiguration of the firewall results
in dropping established connections.

> ###### outbound section ######
>
> ### Allow out ssh
> $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif
> setup keep-state

What are you trying to do here? Outgoing connections from ssh clients have a
src port above 1024.

Bye,
Alexander.

- --
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Avoid strange women and temporary variables.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQwsTQqKXvLS903/FAQr/wgf8C6OO/3Y3iMoP4KZo3KvYD9JwcffcPtKC
dU3aeiGLYNpcJstUJLQ5TqjNg7fSjhGZ9f8cz5SneLY4KUny/PNLtRIc2r6dUyJ0
Du92KyQTdh8LTnExARcyIFnFpGCn0w83SVKIhmO7Ia6kQohLH2MhTr1EwJrZtry7
enG6E9FsZuBggjw7rp1J8N/pUfeof42igmg0ZLL4A3NQfTSZA0CKl6rX93rFVgc1
dSy9AOcC5QeVKXRbnFsIj5qoxjeHQvpQwtwQ1yXq9jwndGKBP49/nZXq0Yrs1Rvb
qcsmmr/FRzdDjm3oTvocroajIPsd+8AkeI3s5mmvYa9CtSBGy3IiYQ==
=Z+R6
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Alexander Leidinger: "RE: Security warning with sshd"
• In reply to: Alexander Leidinger: "RE: Security warning with sshd"
• Next in thread: Alexander Leidinger: "RE: Security warning with sshd"
• Reply: Alexander Leidinger: "RE: Security warning with sshd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Firewall with one-time passwords? ... Have a separate Linux-based firewall (I'm using the shorewall ... only permit ssh connections from a list of trusted hosts/domains on ... one-time password, ... (comp.os.linux.security) Re: Firewall with one-time passwords? ... Have a separate Linux-based firewall (I'm using the shorewall ... only permit ssh connections from a list of trusted hosts/domains on ... one-time password, ... (comp.security.firewalls) Re: Firewall with one-time passwords? ... of the people I'd not have thought about having a separate firewall, ... > only permit ssh connections from a list of trusted hosts/domains on ... > one-time password, ... (comp.os.linux.security) Re: Firewall with one-time passwords? ... of the people I'd not have thought about having a separate firewall, ... > only permit ssh connections from a list of trusted hosts/domains on ... > one-time password, ... (comp.security.firewalls) RE: Security warning with sshd ... > and out SSH sessions and blocks all the garbage. ... Then on all outgoing tcp connections be sure to use ... I'm *dis*allowing established connections in my firewall, ... (freebsd-questions)