IPFW fatal: Fssh_packet_write_poll: Connection from x.x.x port 48368: Permission denied

[hieutmd]

Hi
My server OS version is 11.0. I copy ipfw.rules from other server (version 10.3) to this one.
Whenever I tried to reload ipfw.rules, the ssh session is frozen.
sh /usr/local/etc/ipfw.rules

Check the auth.log, get

Apr  4 17:59:07 m123 sshd[3703]: fatal: Fssh_packet_write_poll: Connection from x.x.x port 48368: Permission denied

Can someone advise of what to look at?

 

[hieutmd]

I'm stuck. Can some experts please share thoughts on how to work around this problem?

 

[aonishenko]

Seems like ssh dropped by some rule. Can you list your ipfw.rules?

 

[hieutmd]

Here is my ipfw.rules file

#!/bin/sh
IPF="ipfw -q add"
#network interface
oif="em1"

ipfw -q -f flush
ipfw table all flush
myip="123.123.123.123"

#loopback, localhost stuff
$IPF 10 allow ip from any to any via lo0
$IPF 11 deny ip from any to 127.0.0.0/8
$IPF 12 deny ip from 127.0.0.0/8 to any
$IPF 13 deny tcp from any to any frag

#deny bogus poackets by tcpflags
#xmas tree
$IPF 30 deny tcp from any to any in tcpflags fin,psh,urg recv $oif
$IPF 31 deny tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif
$IPF 32 deny tcp from any to any in tcpflags syn,fin recv $oif
$IPF 33 deny tcp from any to any in tcpflags fin,rst recv $oif
$IPF 34 deny ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif

#block bad ips by tables
#########################
ipfw table 1 flush
cat /usr/local/etc/block_ip.txt | while read ip; do
   ipfw table 1 add $ip 1
done

ipfw -q add 100 deny ip from "table(1)" to any via $oif

#allow ftp
$IPF 42 allow tcp from $myip to me 21
$IPF 49 deny tcp from any to any 21

#allow ssh
$IPF 51 allow tcp from $myip to me 22

$IPF 59 deny tcp from any to any 22

#allow mysql
$IPF 61 allow tcp from me to me 3306
$IPF 62 allow tcp from $myip to me 3306
$IPF 69 deny tcp from any to any 3306

#$IPF 207 allow tcp from any to any 25 in
#$IPF 208 allow tcp from any to any 25 out
$IPF 89 deny tcp from any to any 25

$IPF 209 allow udp from any to any 53 in
$IPF 210 allow tcp from any to any 53 in
$IPF 211 allow udp from any to any 53 out
$IPF 212 allow tcp from any to any 53 out
$IPF 213 allow tcp from any to any 80 in
$IPF 214 allow tcp from any to any 80 out
#$IPF 215 allow tcp from any to any 10000 in
#$IPF 216 allow tcp from any to any 10000 out

#$IPF 219 allow tcp from any to any 11211 in
#$IPF 220 allow tcp from any to any 11211 out

#$IPF 300 divert natd all from any to any via $oif

#all connections from my network allowed
$IPF 500 check-state
$IPF 501 allow all from any to any keep-state
$IPF 502 deny tcp from any to any established in via $oif
$IPF 503 deny all from any to any frag in via $oif

#ack scan
$IPF 1000 deny tcp from any to any in tcpflags ack,rst recv $oif

# deny and log everything
$IPF 3000 deny log all from any to any

 

[aonishenko]

Here is my ipfw.rules file

#!/bin/sh
IPF="ipfw -q add"
#network interface
oif="em1"

ipfw -q -f flush
ipfw table all flush
myip="123.123.123.123"

#loopback, localhost stuff
$IPF 10 allow ip from any to any via lo0
$IPF 11 deny ip from any to 127.0.0.0/8
$IPF 12 deny ip from 127.0.0.0/8 to any
$IPF 13 deny tcp from any to any frag

#deny bogus poackets by tcpflags
#xmas tree
$IPF 30 deny tcp from any to any in tcpflags fin,psh,urg recv $oif
$IPF 31 deny tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif
$IPF 32 deny tcp from any to any in tcpflags syn,fin recv $oif
$IPF 33 deny tcp from any to any in tcpflags fin,rst recv $oif
$IPF 34 deny ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif

#block bad ips by tables
#########################
ipfw table 1 flush
cat /usr/local/etc/block_ip.txt | while read ip; do
   ipfw table 1 add $ip 1
done

ipfw -q add 100 deny ip from "table(1)" to any via $oif

#allow ftp
$IPF 42 allow tcp from $myip to me 21
$IPF 49 deny tcp from any to any 21

#allow ssh
$IPF 51 allow tcp from $myip to me 22

$IPF 59 deny tcp from any to any 22

#allow mysql
$IPF 61 allow tcp from me to me 3306
$IPF 62 allow tcp from $myip to me 3306
$IPF 69 deny tcp from any to any 3306

#$IPF 207 allow tcp from any to any 25 in
#$IPF 208 allow tcp from any to any 25 out
$IPF 89 deny tcp from any to any 25

$IPF 209 allow udp from any to any 53 in
$IPF 210 allow tcp from any to any 53 in
$IPF 211 allow udp from any to any 53 out
$IPF 212 allow tcp from any to any 53 out
$IPF 213 allow tcp from any to any 80 in
$IPF 214 allow tcp from any to any 80 out
#$IPF 215 allow tcp from any to any 10000 in
#$IPF 216 allow tcp from any to any 10000 out

#$IPF 219 allow tcp from any to any 11211 in
#$IPF 220 allow tcp from any to any 11211 out

#$IPF 300 divert natd all from any to any via $oif

#all connections from my network allowed
$IPF 500 check-state
$IPF 501 allow all from any to any keep-state
$IPF 502 deny tcp from any to any established in via $oif
$IPF 503 deny all from any to any frag in via $oif

#ack scan
$IPF 1000 deny tcp from any to any in tcpflags ack,rst recv $oif

# deny and log everything
$IPF 3000 deny log all from any to any

Hi!

Could you describe your IP settings, regarding to your IPFW rules? I see many rules for ssh regarding to IP predefined.

 

[ShelLuser]

Are you sure you're trying to access this server from 123.123.123.123? From what I can tell that's the only host which is allowed to access SSH. So if you're trying this from anything else then it's a no go.

This should be fairly easy to debug. Set up SSH to listen to a random high port number besides 22. Open said port unconditionally in your firewall and try to connect to it. If you do use w to check your origin and such. Then adjust your firewall accordingly.

 

[hieutmd]

Hi
Let me describe the situation. I logged in my ssh session, I ran the command
sh /usr/local/etc/ipfw.rules

Then my ssh session is frozen.

The IP 123.123.123.123 is not my real IP though (replaced before posted here).

For the record, I have using the file for 5 servers (FreeBSD 8.4, 10.3). Only this server which is freebsd 11.0 I have the problem.

 

[ShelLuser]

Then my ssh session is frozen.

Important detail: can you still log on using SSH afterwards or does the server stop responding at all (so it requires console access to fix the issue)?

Because if it's the first I'd suspect a glitch somewhere then the firewall rules become active. However.. I don't have an explanation because it doesn't happen on my servers (I use both ipf as well as pf).

 

[hieutmd]

Important detail: can you still log on using SSH afterwards or does the server stop responding at all (so it requires console access to fix the issue)?

As you suspect,
- I cannot login again via ssh.
- Server's networking is interrupted (not ping response etc)

I need to login the server directly (with a keyboard and a monitor) by root user, re-run the firewall command above as root to rebuild the rules. After that, I can ssh login again.

 

[hieutmd]

Well after 2 months I finally succeeded ! It seems the problem is from the file ipfw.rules itself. I rename it, create a new file on the server, and it works. Perhaps copying it from another server is not a way to go.