bmk1st
September 11th, 2003, 10:06
Hi guys,

I followed the How-To, http://screamingelectron.org/phpBB2/viewtopic.php?t=774 by soup4you2.

The how-to didn't mention about installing ssh so I installed OpenSSH myself and enabled sshd in rc.conf. I tried to configure ipf.rules so my Fbsd server machine can accept ssh connections from lan. I'm on the router.

I put my workstation's ip address and its hostname in /etc/hosts so my fbsd would accept ssh connection from that machine.

127.0.0.1 localhost
192.168.1.100 myworkstation

I added my workstation in ipf.rules and my network lan card is sis0.

#Incomming SSH Access
pass in quick on sis0 proto tcp from myworkstation to localhost port = 22 flags S keep frags keep state

I still can't connect to my server. The connection quickly got refused. I'm not sure about localhost. I tried to replace it with my server's hostname but it didn't work either. I'm new to FreeBSD's ipfirewall and I'm still baffled. :?

Any suggestion I should try?

Thanks for replies in advance.

thedude
September 15th, 2003, 01:44
Perhaps it's being blocked elsewhere in your pf.conf? Let us take a look.

soup4you2
September 15th, 2003, 08:00
Does it work if you pass it to any to any

also does your machines hostname have a entry in /etc/hosts ?

127.0.0.1 localhost
192.168.1.100 myworkstation

127.0.0.1 localhost.my.domain localhost
192.168.1.100 myworkstation.mydomain myworkstation
192.168.1.254 myserver.mydomain myserver

also did you restart your ipf rules after entries?

bmk1st
September 15th, 2003, 09:56
Does it work if you pass it to any to any

also does your machines hostname have a entry in /etc/hosts ?

127.0.0.1 localhost
192.168.1.100 myworkstation

127.0.0.1 localhost.my.domain localhost
192.168.1.100 myworkstation.mydomain myworkstation
192.168.1.254 myserver.mydomain myserver

also did you restart your ipf rules after entries?

I have disabled ipf in the kernel. SSH works fine. I'll turn it on and try what you suggested and let you know.

Thanks for the reply.

soup4you2
September 15th, 2003, 10:04
you dont have to disable ipf in the kernel if your having issues..

just run

ipf -D

that will disable it.. no need in redoing your kernel

also what do you mean you installed openssh? it's installed by default.

bmk1st
September 15th, 2003, 10:40
you dont have to disable ipf in the kernel if your having issues..

just run

ipf -D

that will disable it.. no need in redoing your kernel

Thanks! I'll keep that in mind. :wink:


also what do you mean you installed openssh? it's installed by default.

It wasn't installed. I think it was my doing during the install configuration. I don't remember. :oops:

soup4you2
September 15th, 2003, 10:57
and if you still have issues just post up your ipf.rules and your hosts file and i'll be more than happy to find your error

Former Member
September 15th, 2003, 12:57
Has this been resolved?

bmk1st
September 15th, 2003, 13:58
Not yet. I don't have time right now. I can try do it tonight or tomorrow. I'll let you guys know how it goes. 8)

Former Member
September 15th, 2003, 14:03
ahh im just wondering is all, i have this reply set out concerning syntax, if it was resolved id look stupid lol n i dont wanna do that...


Should the config look like this:
[code:1:f62121d66c]#Incomming SSH Access
pass in quick on sis0 proto tcp from $myworkstation to $localhost port 22 flags S keep frags keep state
[/code:1:f62121d66c]
or
[code:1:f62121d66c]
#Incomming SSH Access
pass in quick on sis0 proto tcp from $myworkstation to lo0 port 22 flags S keep frags keep state [/code:1:f62121d66c]

Also, won't you require the S/SA setting for flags ? How can you have a tcp session without ack?

anywho, ty for letting me know :)

soup4you2
September 15th, 2003, 14:42
ahh im just wondering is all, i have this reply set out concerning syntax, if it was resolved id look stupid lol n i dont wanna do that...


Should the config look like this:
[code:1:91422a1094]#Incomming SSH Access
pass in quick on sis0 proto tcp from $myworkstation to $localhost port 22 flags S keep frags keep state
[/code:1:91422a1094]
or
[code:1:91422a1094]
#Incomming SSH Access
pass in quick on sis0 proto tcp from $myworkstation to lo0 port 22 flags S keep frags keep state [/code:1:91422a1094]

Also, won't you require the S/SA setting for flags ? How can you have a tcp session without ack?

anywho, ty for letting me know :)

Keep in mind this is IPF not PF so there are no variables. as for flags it works just fine with SYN

Former Member
September 15th, 2003, 15:21
ahh ok, say rc.conf and presumed, no matter what i did i made myself look stupid lol :) thanks for pointing that out :)

bmk1st
September 17th, 2003, 09:35
Wheeee, I got it to work. :D

I fixed my /etc/hosts and reconfigured the ipf.rules

my /etc/hosts should look like what soup4you2 said

[code:1:23de40a989]
127.0.0.1 localhost localhost.mydomain
192.168.1.100 myworkstation myworkstation.mydomain
192.168.1.101 myserver myserver.mydomain
[/code:1:23de40a989]

and i fixed ipf.rules

[code:1:23de40a989]
#Incomming SSH Access
pass in quick on sis0 proto tcp from myworkstation to myserver port = 22 flags S keep frags keep state
[/code:1:23de40a989]

localhost should be replaced with the name of the server. My fault.

My problem was that I thought it wasn't necessary to use the name of the server and I thought localhost would be fine. I was wrong. :oops:
Another lesson learned. :wink:

Soup4for2. Thanks for clearing that up.

Now, let's see if I can get ipfilter to accept a range of ip addresses. (For ssh) Anybody have good info on ipfilter? I can't find it in the freebsd handbook. :?

soup4you2
September 17th, 2003, 10:47
pass in quick on sis0 proto tcp from 172.16.2.0/24 to myserver port = 22 flags S keep frags keep state

something like that?