Solved FreeBSD 13.1 fresh install, ssh timeout on log in

I just did a fresh install of FreeBSD 13.1 with ionos.com cloud host. I cannot seem to ssh into the server at all, and it's driving me nuts (I've called ionos support probably 8 times today and they're stumped too). Here's what I have so far...

- I can access my server via KVM console
- Here is my /etc/rc.conf file:
1674337012705.png

- Here is my /usr/local/etc/ipfw.rules file:
1674336703965.png

1674336770433.png

- Here is my ifconfig output:
1674336901349.png



I've confirmed with my host that there are no firewall policies on their end that are blocking connections. I've also confirmed that the support agent is getting blocked, so it's not specific to me. They also booted the machine with a different image to confirm the network connection was fine, so it's "definitely" some sort of configuration setting on my FreeBSD server itself.

Added context: I would consider myself "intermediate" in this space. I've done some rather complex things, imo, but I'm self taught, so there are a LOT of basic things in Linux that are still over my head. Mostly I'm just good a google, but alas my efforts have failed me for the last 10+ hours between yesterday and today. :)

My goal here is simply to access the machine via putty/ssh client.

Any help here would be very greatly appreciated!
 

Attachments

  • 1674336627357.png
    1674336627357.png
    115.7 KB · Views: 88
try with firewall disabled if you did not do it already
login at the console and type host a.b.c.d where a.b.c.d is the ip you try to ssh in from
if it takes forever to answer you need to fix it (chose another server in resolv.conf)

if both this work add firewall logging or look at the counters of the blocking rules while you try to ssh in
 
How exactly is your VM knowing only about supersecret.134/24 network supposed to reach to default gateway at 192.168.0.254 (assuming you are not trying to hide 192.168.0.134 address)?

If you have remote KVM available, just try to ping default gateway and if it works, than something on the internet, like 8.8.8.8
 
try with firewall disabled if you did not do it already
login at the console and type host a.b.c.d where a.b.c.d is the ip you try to ssh in from
if it takes forever to answer you need to fix it (chose another server in resolv.conf)

if both this work add firewall logging or look at the counters of the blocking rules while you try to ssh in
ssh didn't work right after install (before I added firewall_enable="YES"). I assume that means the firewall is disabled by default? I just changed to firewall_enable="NO" and rebooted my machine, and I still get a timeout error when trying to connect via ssh.

When I tried "host <my ip>", the response is: "connection timed out; no servers could be reached"

I found the resolv.conf file, but I'm not familiar with what this is. There are a couple of lines with that show "nameserver <ip>" but I don't recognize the ip addresses in there. A quick google search says this is supposed to resolve ip addresses with domain names, but I don't have a domain name associated with this server yet.

And unfortunately, I'm not sure what you mean by looking at the counters of the blocking rules (or how to do it). :( Any guidance you can offer here?
 
How exactly is your VM knowing only about supersecret.134/24 network supposed to reach to default gateway at 192.168.0.254 (assuming you are not trying to hide 192.168.0.134 address)?

If you have remote KVM available, just try to ping default gateway and if it works, than something on the internet, like 8.8.8.8
...magic? I don't know, I've had a handful of VPS machines over the years and they all just work. :) Whenever I try to ping anything from the FreeBSD server itself, it tells me "ping: sendto: No route to host". I haven't been able to find a solution for this issue.
 
Can't help you much but be sure that you have a "normal user" to use ssh, if I am not mistaken the default ssh configuration do not allow root to ssh.
It's basics I know but it can be a blocking point.
Good luck.
 
Can't help you much but be sure that you have a "normal user" to use ssh, if I am not mistaken the default ssh configuration do not allow root to ssh.
It's basics I know but it can be a blocking point.
Good luck.
Thanks for the suggestion. I do have two standard users added already, but it's nice to rule something else out.
 
When you are using your custom IPFW script then you don't need the following in /etc/rc.conf
firewall_allowservices
firewall_myservices

You need to allow the outgoing traffic. I would recommend to filter only inbound traffic and allow all outgoing traffic.
$IPF 130 allow tcp from any to me dst-port 22 setup keep-state


Here's some example that you can use:
Code:
#!/bin/sh
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
fwcmd="ipfw -q add"

# Loopback address
$fwcmd 100 allow ip from any to any via lo0
$fwcmd 200 deny ip from any to 127.0.0.0/8
$fwcmd 300 deny ip from 127.0.0.0/8 to any
$fwcmd 400 deny ip from any to ::1
$fwcmd 500 deny ip from ::1 to any

# ipv6 ND DAD
$fwcmd 600 allow ipv6-icmp from :: to ff02::/16

# ipv6 RS, RA, NS, NA, redirect
$fwcmd 700 allow ipv6-icmp from fe80::/10 to fe80::/10
$fwcmd 800 allow ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreachable
$fwcmd 900 allow ipv6-icmp from any to any ip6 icmp6types 1

# Allow NS/NA/toobig (don't filter it out)
$fwcmd 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

# Allow packets for which a state has been build
$fwcmd 1100 check-state

# For services permitted below
$fwcmd 1200 allow tcp from me to any established

# Allow any connection out, adding state for each
$fwcmd 1300 allow tcp from me to any setup keep-state
$fwcmd 1400 allow udp from me to any keep-state
$fwcmd 1500 allow icmp from me to any keep-state
$fwcmd 1600 allow ipv6-icmp from me to any keep-state

# Allow DHCP
$fwcmd 1700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$fwcmd 1800 allow udp from any 67 to me dst-port 68 in
$fwcmd 1900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$fwcmd 2000 allow udp from fe80::/10 to me dst-port 546 in

# ICMP echo8,DestUnreacable3,SourcheQuench4,TimeExceeded11
$fwcmd 2100 allow icmp from any to any icmptypes 8
$fwcmd 2200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
$fwcmd 2300 allow icmp from any to any icmptypes 3,4,11
$fwcmd 2400 allow ipv6-icmp from any to any ip6 icmp6types 3

# MyServices Accept and log ssh on 22
$fwcmd 2500 allow log logamount 100 tcp from any to me dst-port 22 setup keep-state

#$fwcmd 2600 allow tcp from any to me dst-port 80
#$fwcmd 2700 allow tcp from any to me dst-port 443
#$fwcmd 2800 allow tcp from any to me dst-port 25
#$fwcmd 2900 allow tcp from any to me dst-port 465
#$fwcmd 3000 allow tcp from any to me dst-port 587
#$fwcmd 3100 allow tcp from any to me dst-port 110
#$fwcmd 3200 allow tcp from any to me dst-port 993
#$fwcmd 3300 allow tcp from any to me dst-port 143
#$fwcmd 3400 allow tcp from any to me dst-port 995
#$fwcmd 3300 allow tcp from any to me dst-port 21 setup keep-state
#$fwcmd 3400 allow all from any to me 1024-65535 setup keep-state

# Accounting
$fwcmd 65000 count ip from any to any

# Default rule DROP, this is set by default in rc.conf
#$fwcmd 65535 deny ip from any to any
 
When you are using your custom IPFW script then you don't need the following in /etc/rc.conf
firewall_allowservices
firewall_myservices

You need to allow the outgoing traffic. I would recommend to filter only inbound traffic and allow all outgoing traffic.



Here's some example that you can use:
Code:
#!/bin/sh
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
fwcmd="ipfw -q add"

# Loopback address
$fwcmd 100 allow ip from any to any via lo0
$fwcmd 200 deny ip from any to 127.0.0.0/8
$fwcmd 300 deny ip from 127.0.0.0/8 to any
$fwcmd 400 deny ip from any to ::1
$fwcmd 500 deny ip from ::1 to any

# ipv6 ND DAD
$fwcmd 600 allow ipv6-icmp from :: to ff02::/16

# ipv6 RS, RA, NS, NA, redirect
$fwcmd 700 allow ipv6-icmp from fe80::/10 to fe80::/10
$fwcmd 800 allow ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreachable
$fwcmd 900 allow ipv6-icmp from any to any ip6 icmp6types 1

# Allow NS/NA/toobig (don't filter it out)
$fwcmd 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

# Allow packets for which a state has been build
$fwcmd 1100 check-state

# For services permitted below
$fwcmd 1200 allow tcp from me to any established

# Allow any connection out, adding state for each
$fwcmd 1300 allow tcp from me to any setup keep-state
$fwcmd 1400 allow udp from me to any keep-state
$fwcmd 1500 allow icmp from me to any keep-state
$fwcmd 1600 allow ipv6-icmp from me to any keep-state

# Allow DHCP
$fwcmd 1700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$fwcmd 1800 allow udp from any 67 to me dst-port 68 in
$fwcmd 1900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$fwcmd 2000 allow udp from fe80::/10 to me dst-port 546 in

# ICMP echo8,DestUnreacable3,SourcheQuench4,TimeExceeded11
$fwcmd 2100 allow icmp from any to any icmptypes 8
$fwcmd 2200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
$fwcmd 2300 allow icmp from any to any icmptypes 3,4,11
$fwcmd 2400 allow ipv6-icmp from any to any ip6 icmp6types 3

# MyServices Accept and log ssh on 22
$fwcmd 2500 allow log logamount 100 tcp from any to me dst-port 22 setup keep-state

#$fwcmd 2600 allow tcp from any to me dst-port 80
#$fwcmd 2700 allow tcp from any to me dst-port 443
#$fwcmd 2800 allow tcp from any to me dst-port 25
#$fwcmd 2900 allow tcp from any to me dst-port 465
#$fwcmd 3000 allow tcp from any to me dst-port 587
#$fwcmd 3100 allow tcp from any to me dst-port 110
#$fwcmd 3200 allow tcp from any to me dst-port 993
#$fwcmd 3300 allow tcp from any to me dst-port 143
#$fwcmd 3400 allow tcp from any to me dst-port 995
#$fwcmd 3300 allow tcp from any to me dst-port 21 setup keep-state
#$fwcmd 3400 allow all from any to me 1024-65535 setup keep-state

# Accounting
$fwcmd 65000 count ip from any to any

# Default rule DROP, this is set by default in rc.conf
#$fwcmd 65535 deny ip from any to any
Thanks for this, super helpful. I removed firewall_allowservices and firewall_myservices from /etc/rc.conf.

I'm still having the same problems as before. Timeout when trying to connect via ssh.

When I type ipfw list, I get all of the rules I entered from your note, but I also get this one at the end: 65535 deny ip from any to any. I assume that this is auto-added for a reason, and I also assume that it's the "last" rule to take effect if none of the others are satisfied, right?

I still can't even ping google.com ("Unknown host") or my other server directly via ip address ("ping: sendto: No route to host"). My other server is also hosted with this same company, but I have no idea how their network may or may not be connected. And, just to make sure ping was working correctly, I tried to ping the FreeBSD server from itself and that worked as expected (though the latency for a self-ping is surprisingly high at 100-200 ms...).
 
Three things I noticed:

If 'solved' then how, by what?

Why are you putting your presumed network IPv4 address on the localhost interface, rather than the standard 127.0.0.1? and not on the vmx0 interface?

The last ruleset VladiBG posted above is basically the 'workstation' rules from /etc/rc.firewall, which would be much better to use than what you have in several respects - after fixing lo0.
 
Three things I noticed:

If 'solved' then how, by what?

Why are you putting your presumed network IPv4 address on the localhost interface, rather than the standard 127.0.0.1? and not on the vmx0 interface?

The last ruleset VladiBG posted above is basically the 'workstation' rules from /etc/rc.firewall, which would be much better to use than what you have in several respects - after fixing lo0.
Not sure if you read the part of my post where I said "I'm self taught, so there are a LOT of basic things in Linux that are still over my head."

Why did I do it? Because I'm trying to find anything that works. Do I know what I'm doing? No. Not really. If I did, I probably would not be posting here.

My problem was solved by configuring my /etc/rc.conf file to match (at least in part) what's in the article I posted. As I mentioned in my TL;DR, I had the values wrong for the default router and netmask. If you're interested in actually knowing what the issue was, along with resolution, please refer to the article for details.
 
Few hints, because you said you are on the beginning...
Thanks for the suggestion. I do have two standard users added already, but it's nice to rule something else out.
It's true that in default settings root can't login via ssh, but connection would work, you'll get password prompt, it just "hang up" after 3 tries like if you would insert wrong password.
I still can't even ping google.com ("Unknown host") or my other server directly via ip address ("ping: sendto: No route to host").
This is why I suggested first trying gateway address and then IP somewhere on the internet. If you have problem with network, it is likely, that DNS wouldn't work and is also wise trying from nearest hops. You may also try traceroute().

Also see tcpdump() for your ssh problem, you might find useful something like tcpdump -vvv -i vmx0 port 22
 
Back
Top