Hi, I am using IPFW on FreeBSD 4.11 I am facing two problems: - SSH sessions timeout after a while - When I run "/sbin/ipfw -q -f flush" in the rules script all connection get reset (and I am thrown out of the box). Is this standard functioning of ipfw or do I need to change any configuration? Thanks, Siddhartha
On Fri, 29 Apr 2005, Siddhartha Jain wrote:> I am facing two problems: > - SSH sessions timeout after a whileIn PuTTY or whatever other SSH client you use - enable sending of keepalive packets (for PuTTY - under connection settings) (not sure if this is cause of ipfw or what, but the tcp session is timing out)> - When I run "/sbin/ipfw -q -f flush" in the rules script all connection > get reset (and I am thrown out of the box).Yep, standard functionality, easy fix though: -- Start file /root/bin/fws -- #!/bin/sh fw > /root/fws-out 2>&1 & -- End File -- -- Start file /root/bin/fw -- #!/bin/sh ipfw="ipfw" # Flush Old Rules $ipfw -f flush # Tempoary rules to stop connections being killed when reloading rules $ipfw add 1 allow tcp from any to any established $ipfw add 2 allow udp from any to any <snip> - your rules go here (dont use rule 1 or 2 though) # Clean up tempoary rules used to stop connections being killed $ipfw delete 1 $ipfw delete 2 -- End File -- I use that all the time, mabe 1 out of 100 times it will kill a ssh session (only one that has irssi open cause of the time updating it kills it, i have it set to update every second though, so normally it'd be like 1 out of 500 or so) and even if it does, it still finishes loading the ruleset anyway so you can just ssh straight back in If you havn't guessed, you run /root/bin/fws - you can change it to whatever you want of course, also, the output is redirected to /root/fws-out - if you dont redirect it, it'll kill your ssh session - although it won't stop it loading the other rules ~Neo-Vortex
Michael Scheidell wrote:>>I use that all the time, maybe 1 out of 100 times it will kill >>a ssh session (only one that has irssi open cause of the time >>updating it kills it, i have it set to update every second >>though, so normally it'd be like 1 out of 500 or so) and even >>if it does, it still finishes loading the ruleset anyway so >>you can just ssh straight back in > > > I used > > sysctl -a net.inet.ip.fw.enable=0 && firewall.sh && > net.inet.ip.fw.enable=1 && sleep 60 && reboot > and I would hit a ^c to stop the sleep and reboot if I didn't wack the > firewall rules. > The reboot would put it back to rc.conf firewall > > Never got disconnected. >Just out of curiosity, why is that IPFW behaves this way and PF and IPF don't? - Siddhartha
> > I use that all the time, maybe 1 out of 100 times it will kill > a ssh session (only one that has irssi open cause of the time > updating it kills it, i have it set to update every second > though, so normally it'd be like 1 out of 500 or so) and even > if it does, it still finishes loading the ruleset anyway so > you can just ssh straight back inI used sysctl -a net.inet.ip.fw.enable=0 && firewall.sh && net.inet.ip.fw.enable=1 && sleep 60 && reboot and I would hit a ^c to stop the sleep and reboot if I didn't wack the firewall rules. The reboot would put it back to rc.conf firewall Never got disconnected. Only window of vulnerability was while loading new firewall rules. Yours is safer.
Hi, im playing with the /etc/crontab to reload the rules periodically, while i remotly edit both crontab and ipfw_rules.sh, this solves the problem of lock-out (but i dont know exactly what other problems it might cause...:) sshd_config has a ClientAliveInterval (seconds between trys) and ClientAliveCountMax (how many times to try keepalive, before client known as nonrespondig and disconnected) option, and on the client side as ~Neo-Vortex wrote find the keepalive setting. (and if the client is untrustable, disable it >:) Istvan ----- Original Message ----- From: "Siddhartha Jain" <sid@netmagicsolutions.com> To: <freebsd-security@freebsd.org> Sent: Friday, April 29, 2005 11:40 AM Subject: IPFW disconnections and resets> Hi, > > I am using IPFW on FreeBSD 4.11 > > I am facing two problems: > - SSH sessions timeout after a while > - When I run "/sbin/ipfw -q -f flush" in the rules script all connection > get reset (and I am thrown out of the box). > > Is this standard functioning of ipfw or do I need to change any > configuration? > > > Thanks, > > Siddhartha > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.308 / Virus Database: 266.10.4 - Release Date: 2005.04.27. > >
On Fri, Apr 29, 2005 at 03:10:47PM +0530, Siddhartha Jain wrote:> Hi, > > I am using IPFW on FreeBSD 4.11 > > I am facing two problems: > - SSH sessions timeout after a whileUse stateful connections. (i.e. use a setup rule and a subsequent established rule). -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/
> -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of > Siddhartha Jain > Sent: Friday, April 29, 2005 8:21 AM > To: freebsd-security@freebsd.org > Subject: Re: IPFW disconnections and resets > > Just out of curiosity, why is that IPFW behaves this way and > PF and IPF don't? > > - SiddharthaI think if you recompile kernel with: options IPFIREWALL_DEFAULT_TO_ACCEPT (default is to deny) then it will work like pf and ipf. Think about it, if default is to deny, and you just flushed all the rules, it did exactlay what you told it to do: deny all connections by default. This also may explain the one thag gets dropped 1% of the time.