FreeBSD 10 not allowing incoming connections except ping

[balaji18]

Hi,

I have installed FreeBSD 10 for a home server. The network interface is configured and /etc/rc.conf has the configuration detail like

ifconfig_bge1="inet 10.12.12.24 netmask 255.255.255.0"

Default router is also set in /etc/rc.conf. In /etc/rc.conf,

sshd_enable="YES"

No firewall is set. /etc/pf.conf is not present and pfctl -d gives the error

"/dev/pf no such file or directory"

/etc/rc.d/sshd status gives

sshd is running as pid 1184

. But if I try to connect to sshd like ssh 10.12.12.24 -l abc ( IP address is not real one used, so is the user, just given here to describe the actual way of connection), I get connection refused. Same is the case with ssh [email=abc@10.12.12.24]abc@10.12.12.24[/email]. Nothing in logs.

sockstat(8) and netstat(8) confirm sshd running and listening in port 22 (default port). For confirmation of sshd running, I was to be connect from localhost. No messages in logs too. Changed the LogLevel in /etc/ssh/sshd_config to VERBOSE. Still no message in /var/log/messages. I wrote a simple server and started it. Again, sockstat(8) and netstat(8) confirmed the server as running and listening on port 9999. Trying to connect via HTTP from a browser externally did not work. But I was able to telnet using localhost and port.

So it is very clear that the system is allowing only localhost connections for services other than ping, which was successful. There is no problem with the internet connection or ISP as I am writing this message with the same LAN cable that was connected to the server, now connected to my laptop. Pls help in resolving this.

Adding more information, I downloaded the memstick image and used that to install FreeBSD 10 from an USB.


Thanks,
Balaji.

 

[SirDice]

From where are you connecting? From outside your LAN? Or from another machine in your network?

 

[balaji18]

Hi,

@SirDice - i am trying to connect from outside my LAN.

@getopt - sockstat gives the details as said earlier. Moreover, i am not connecting to sshd via http. I am connecting to the sample server that i wrote listening on port 9999 via http as http://10.12.12.24:9999. Again from outside of my LAN.

Adding more information, i checked even hosts.allow and it has the first entry as ALL : ALL : allow, which gives that all services across all are allowed. There is a comment in hosts.allow file stating that hosts.deny is obsolete. So there shouldn't be any problem here too. Also, i used tcpdump on the interface like
tcpdump -i bge1. Though there was output, i was unable to read them. I could see some UDP and igmp messages. At this time, i wouldn't be able to provide tcpdump output(but may be later as its tedious process, like i need to save the output in a file, transfer to a media and then use it on my laptop to present here).

Let me know if i am missing something.

Thanks,
Balaji.

 

[usdmatt]

In a default FreeBSD install you should only need to configure networking and enable sshd in /etc/rc.conf as you have done. There's no firewall by default and you shouldn't need to mess with ssh config, hosts.allow, etc. I set up FreeBSD servers every day and have never needed to make any changes to allow access from locations other than localhost.

Obviously there must be a fundamental configuration problem somewhere. Is this a private LAN with a NAT router, or does the server have a public address assigned to it?

 

[SirDice]

@SirDice - i am trying to connect from outside my LAN.

Is there a router or firewall in between? Usually people have RFC-1918 addresses internally and would need a NAT redirection to allow an incoming connection.

 

[balaji18]

Hi,

@usdmatt & @SirDice - Thanks for your responses. Let me explain what i have.

My setup is

ISP --> Router --> Server

The router and server are connected via a Lan cable. I have a static IP. Both the router and server are configured with the same static IP. This is as per the advice from the support engineer of the ISP. What puzzles me is that the FreeBSD 10 installation isn't working, while connecting the same cable to my Laptop with Windows 7 works. I am able to connect to internet and browse from my laptop. ISP's support engineer said all is fine since i was able to browse from my laptop. The important point is that ping from support engineer's end was able to receive responses from both the server and laptop.

Thanks,
Balaji.

 

[kpa]

The router and server are connected via a Lan cable. I have a static IP. Both the router and server are configured with the same static IP.

If this is really the case there's a snowball's chance in hell of getting it working. The server and the router must have different IP addresses.

 

[balaji18]

Hi,

@kpa - Any recommendation of IP address for the server assuming the router to stick with the static IP.

Thanks,
Balaji.

 

[kpa]

It depends on what you need but usually the router has the first or the last usable address out of the LAN subnet on its LAN adapter, .1 or .254 if the subnet is a /24. The server can then have any other address but the one held by the router.

 

[usdmatt]

Both the router and server are configured with the same static IP. This is as per the advice from the support engineer of the ISP

If the ISP engineer told you to configure the router and server with the same IP then they don't know what they're doing. Also, they wouldn't of been able to ping your server or your laptop. They almost certainly were just pinging your public static IP and getting a response from your router.

I suspect your laptop works because it is being configured automatically with DHCP and is being given all the correct network settings by the router.

On the Windows 7 machine, can you run ipconfig in command prompt, and post the IP, netmask & gateway it outputs? (I'm expecting the IP to be a private one that starts with 10.X or 192.X, so there's no harm in anyone seeing it)

 

[wblock@]

Giving the same IP address to the router and the server will not work. Many ISPs have a tradition that people who know anything about networking are not allowed to work in support. Some ISPs extend this, not hiring anyone who knows anything at all.

Typically, the public static IP is assigned to the router. It then uses port forwarding to forward incoming requests to the server. The server has a private IP address, usually also static.

 

[usdmatt]

Some ISPs extend this, not hiring anyone who knows anything at all.

 

[balaji18]

Hi,

@usdmatt - Pls see below the ipconfig output from Windows 7

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::9138:8adf:a1da:d448%10
IPv4 Address. . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Currently, i have set the server address different from the router(increased by 1 the last part of the address in dotted decimal form) and have configured for forwarding too. Still no success.

Thanks,
Balaji.

 

[usdmatt]

So on your lan, the router is on 192.168.1.1.
Put the following in /etc/rc.conf

ifconfig_bge1="inet 192.168.1.254 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

Assuming bge1 is the correct interface, you should now have Internet access from the FreeBSD machine. Make sure you can ping the router, and then check if you can ping something on the Internet (I usually use Google's DNS service on 8.8.8.8 as it responds to ping).

# ping 192.168.1.1
# ping 8.8.8.8

Now, if you want to be able to access your machine from the Internet, you need to forward the relevant ports from your router to the FreeBSD machine. In the case of SSH, you'll need to find the port forwarding section in your router and forward port 22 to 192.168.1.254. If you've done it right, you should then be able to SSH from the Internet to the public IP address of your router, and your router will 'proxy' the connection through to FreeBSD.

Please note that if you have your laptop plugged into your LAN, you probably won't be able to SSH to your routers public IP and have it forwarded to the FreeBSD box. This type of connection where you connect from the LAN, to the public side of the router and have the connection routed back to the LAN (called hairpin NAT) isn't supported by many routers. You'll need to test the port forwarding from somewhere outside your network.

Personally I wouldn't advise opening SSH to the world.

 

[kpa]

You also need /etc/resolv.conf file with at least this line:

nameserver 192.168.1.1

 

[balaji18]

Hi,

Per @usdmatt, I have set the configurations. Still, the server is not accepting any connections. Note, port forwarding is also set in the router. Ping from Windows 7 to IP 192.168.1.1 is working while the same from FreeBSD server is not working. Still no success.

@kpa - FreeBSD 10 uses unbound(), making /etc/resolv.conf passive. unbound has its own config file and settings. Though this too is a problem(name resolution), my focus now is to get the incoming connections.

Thanks,
Balaji.

 

[usdmatt]

If you can't ping 192.168.1.1 from the FreeBSD machine then local networking isn't working. There's no point in going on to the port forwarding until that's fixed.

Is bge1 definitely the correct interface? Can you show the output of ifconfig -a with the network cable plugged in.

 

[kpa]

@kpa - FreeBSD 10 uses unbound, making /etc/resolv.conf passive. unbound has its own config file and settings. Though this too is a problem(name resolution), my focus now is to get the incoming connections.

Sorry but this is incorrect. The /etc/resolv.conf file is still used exactly as it was in previous versions of FreeBSD prior to version 10. It doesn't matter which local caching resolver you're using or maybe no local resolver at all, any program using the standard resolver(3) system in libc will use the resolver(s) listed /etc/resolv.conf. That's required by standards and is not going change.

I am aware that the /etc/rc.d/local_unbound service does play some tricks with /etc/resolv.conf to automate its use but since local_unbound is disabled by default *) my point still stands, the usage of /etc/resolv.conf hasn't changed in FreeBSD 10.


*)

firewall ~ % grep local_unbound /etc/defaults/rc.conf
local_unbound_enable="NO"	# local caching resolver
firewall ~ %

 

[balaji18]

Hi,

Thanks to all for your help. Special thanks to usdmatt. Atleast ping and http are working now. My most important one was http. I am glad that it is working. But, SSH was nice to have and it's still not working. ssh invoked hangs without any response or message.

Let me explain the process. With no success and frustration looming, I was curious to know what might be the output from Windows 7. So I configured Win 7 to use static ip(192.168.1.254 as suggested by usmatt) and had the sample server on it. Made the server run with the use of mingw and all i encountered was a message from Windows stating the firewall rules and asking for choices. I chose to allow connections and that's it. Connection from outside the LAN landed in the server and the client received the response successfully. This confirmed that router and server source code all are good. So i decided to re-install FreeBSD and did so. After the installation, ping and http are working fine with network configurations as suggested.

Thanks,
Balaji.

 

[balaji18]

Hi,

When I thought the issue is resolved, actually, it is not. Once the server was shutdown and restarted, I am back to square one. None of the connections are being accepted by the server. ping() is working fine. SSH was says connection refused and HTTP says webpage not available. sockstat() says the port is open and listening. Do not know what to do.

Thanks,
Balaji.

 

[balaji18]

Hi,

The problem is partially resolved by installing FreeBSD 9.3. Ping and HTTP are working fine even after restart. SSH still is a problem. SSH works inside the LAN but not from outside, I mean accessing through internet. Actually looking at sockstat, I could see the external connection but at the client it's connection time out. Referring other posts, I tried to add default route for 192.168.1.254 and I got the error that default route is already added. The command I used is

route add default 192.168.1.254 -iface

Anything I am missing.

Thanks,
Balaji.

 

[woodsb02]

Hi @balaji,

I think you may have two issues here.

1. You cannot have two computers with the same IP address on the local network downstream of the router. From what you described it sounded like both the Windows computer and the FreeBSD server had IP address 192.168.1.254, which will not work as each computer needs a unique address.
   I suggest you put Windows back onto DHCP / automatic IP addressing (let your router assign it an IP address), and leave the FreeBSD server with 192.168.1.254 and subnet 255.255.255.0. In addition to the rc.conf line to give your network interface the static IP, ensure you have

   defaultrouter="191.168.1.1"

   in /etc/rc.conf and

   nameserver 192.168.1.1

   in /etc/resolv.conf.
   Reboot the server once you have this set up.
   This is explained in section 12.5.2 of the FreeBSD handbook: https://www.freebsd.org/doc/handbook/config-network-setup.html
   
2. You need to set up port forwarding on the router for the SSH to work. First ensure network communications internally within your local network (test by using PuTTY on your Windows computer to SSH to your FreeBSD server on 192.168.1.254). You can also try ping from Windows computer to that IP address.
   Log in to your router's web configuration interface (on your Windows computer open a web browser and go to 192.168.1.1). Find the settings for port forwarding. Set up a rule that port 22 should be forwarded to local IP address 192.168.1.254 on TCP port 22. You may need to save the settings and reboot the router.
   Note: lots of bots scan for listening SSH servers on port 22 and attempt to brute force (guess your username and password). A quick way to stop 99% of attempts is to instead set up port forwarding to forward any TCP traffic destined for a different port (e.g. 2220) to local IP 192.168.1.254 on top port 22. Then when you try to SSH from the Internet you instead manually specify on port 2220.

 

[balaji18]

Hi,

The issue is resolved now. The problem was with the router where the TCP MTU was set as 1300. Changing that to 1500 resolved the SSH issue(with help from comp.security.ssh and Google). Currently, all seem to be fine.

Thanks,
Balaji.