IPFW Enabled SSH in ipfw: problem

Just trying to enable SSH in IPFW. Been trying for ages.

Please help me, what's going wrong??

Code:
ipfw disable firewall

$ ssh freebsd@192.168.1.95
Password for freebsd@mac1b:
Last login: Sat Aug  1 14:46:38 2015
.....

ipfw enable firewall
debian@l1d:~$ ssh freebsd@192.168.1.95
[I][B]ssh: connect to host 192.168.1.95 port 22: Connection timed out[/B][/I]

EDIT: I found out a problem is here.

Code:
00700 deny tcp from any to any

But new set of rules still not working?

New:

Code:
00100 allow ip from any to any via tun0
00200 allow ip from any to any via tap0
00300 allow udp from any to 10.1.2.0 dst-port 22222 setup
00400 allow udp from any to any via em0
00500 allow tcp from any to me
00600 allow tcp from any to any dst-port 22
00700 allow tcp from any to me dst-port 22
00800 allow tcp from any to any dst-port 22 in
00900 allow tcp from any to me
01000 allow tcp from any to me dst-port 22 keep-state
01100 allow tcp from any to me via em0
01200 allow tcp from any to any dst-port 22 out
65535 deny ip from any to any

Old:

Code:
00100 allow ip from any to any via tun0
00200 allow ip from any to any via tap0
00300 allow udp from any to 10.1.2.0 dst-port 22222 setup
00400 allow udp from any to any via em0
00500 allow tcp from any to me via tun0
00600 allow tcp from any to any established
00700 deny tcp from any to any
00800 allow tcp from any to any dst-port 22
00900 allow tcp from any to any dst-port 22 in
01000 allow tcp from any to any dst-port 22 out
01100 allow tcp from any to me dst-port 22 keep-state
65535 deny ip from any to any

My ifconfig

Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
   ether 08:00:27:89:20:db
   inet 192.168.1.95 netmask 0xffffff00 broadcast 192.168.1.255
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: lo
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   inet6 fe80::a00:27ff:fe89:20db%tun0 prefixlen 64 scopeid 0x3
   inet 10.1.2.1 --> 10.1.2.2 netmask 0xffffff00
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: tun
   Opened by PID 618
 
Never found the problem but with these rules I solve it ;)

Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
# deny and log everything
$IPF 500 deny log all from any to any
 
Back
Top