ipfw rules for letting ssh requests in

Andrew L. Gould algould at datawok.com
Sun Jan 18 16:59:35 PST 2004 

On Sunday 18 January 2004 05:53 pm, Daan Vreeken [PA4DAN] wrote:
> On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
> > I can't seem to get the ipfw rules right for letting ssh clients access a
> > ssh server.  I can use ssh on the server to connect to the client; but if
> > I try to connect from the client to the server, the operation times out.
> >
> > I have my rules in /etc/ipfw.rules.  Executing 'ipfw show' displays all
> > of the rules as expected.  It also shows packets having been allowed at
> > rule 300 after an attempt to connect has been made.
> >
> > I have copied the top portion of /etc/ipfw.rules:
> >
> > #!/bin/sh
> >
> > # Andrew L. Gould's firewall rules.
> >
> > fwcmd="/sbin/ipfw -q"
> > ${fwcmd} -f flush
> >
> >
> > # Basic rules that should not be changed
> > ${fwcmd} add 00100 pass all from any to any via lo0
> > ${fwcmd} add 00110 deny all from any to 127.0.0.0/8
> > ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
> >
> >
> > # Allow specified service requests in
> > # ssh
> > ${fwcmd} add 00300 allow tcp from any to me 22
> > ${fwcmd} add 00301 allow udp from any to me 22
> >
> > Does anyone have any idea why the operation is timing out or what I have
> > done wrong?
>
> You forgot the packets in the other direction... This should do the trick :
>
> ${fwcmd} add 00300 allow tcp from any to me 22
> ${fwcmd} add 00301 allow tcp from me 22 to any
>
> grtz,
> Daan

I have the firewall configured to let anything out.  As noted above, I was 
able to connect from the server to the client using ssh.

Here's the entirety of /etc/ipfw.rules:

#!/bin/sh

# Andrew L. Gould's firewall rules.

fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush

${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any


# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow udp from any to me 22
# irc
${fwcmd} add 00302 allow tcp from any to me 194
${fwcmd} add 00303 allow udp from any to me 194
# auth (ident)
${fwcmd} add 00304 allow tcp from any to me 113
${fwcmd} add 00305 allow udp from any to me 113
# ircd
${fwcmd} add 00310 allow tcp from any to me 6667


# Allow TCP connections that were initiated locally
${fwcmd} add 00400 check-state

${fwcmd} add 00402 allow tcp from any to any out setup keep-state

# Allow DNS and DHCP activities
${fwcmd} add 00500 allow udp from any 53 to any in recv dc0
${fwcmd} add 00501 allow udp from any 67 to any 68 in recv dc0
${fwcmd} add 00502 allow udp from any to any out

# Allow ICMP activities
${fwcmd} add 00600 allow icmp from any to any icmptype 0
${fwcmd} add 00601 allow icmp from any to any icmptype 3
${fwcmd} add 00602 allow icmp from any to any icmptype 4
${fwcmd} add 00603 allow icmp from any to any icmptype 8
${fwcmd} add 00604 allow icmp from any to any icmptype 11 in

${fwcmd} add 00901 deny tcp from any to any in established

${fwcmd} add 65535 deny all from any to any
#############################################

Thanks,

Andrew Gould

More information about the freebsd-questions mailing list