Solved IPFW workstation setting blocking ssh

hotzenplotz

New Member


Messages: 18

I'm trying to enable ssh access to my laptop however it seems that ipfw blocks it, despite opening the port. I'm on FreeBSD 13.

Following is the rc.conf section configuring the firewall, as well as the output from ipfw -t list after trying to ssh into my laptop from my phone (using termux). This output seems to show that the firewall blocks the ssh access at 22:06, when I tried it unsuccessfully.

Rule 02500, which should handle port 22 requests is not triggering?

What am I doing wrong?

Thanks heaps!

My rc.conf firewall section is as follows:

Code:
# Firewall
# --------
# refer https://danschmid.de/en/blog/firewall-on-freebsd
firewall_enable="YES"
firewall_type="workstation"
# List of ports/protocols on which this host offers services for
# workstation firewall
firewall_myservices="22/tcp 80/tcp 443/tcp 1714-1764/tcp 1714-1764/udp 5900/tcp"
# List of IPs which have acces to $firewall_myservices for
# workstation firewall
firewall_allowservices="any"
# Log rejecte packages in /var/log/security
firewall_logdeny="YES"

I'm trying to open a few other ports for services, however they don't seem to work either.



Code:
> ipfw -t list
00100 Tue May  4 22:04:43 2021 allow ip from any to any via lo0
00200                          deny ip from any to 127.0.0.0/8
00300                          deny ip from 127.0.0.0/8 to any
00400                          deny ip from any to ::1
00500                          deny ip from ::1 to any
00600 Tue May  4 21:55:29 2021 allow ipv6-icmp from :: to ff02::/16
00700                          allow ipv6-icmp from fe80::/10 to fe80::/10
00800 Tue May  4 22:06:43 2021 allow ipv6-icmp from fe80::/10 to ff02::/16
00900                          allow ipv6-icmp from any to any icmp6types 1
01000                          allow ipv6-icmp from any to any icmp6types 2,135,136
01100                          check-state :default
01200 Tue May  4 22:06:39 2021 allow tcp from me to any established
01300 Tue May  4 22:06:47 2021 allow tcp from me to any setup keep-state :default
01400 Tue May  4 22:06:47 2021 allow udp from me to any keep-state :default
01500                          allow icmp from me to any keep-state :default
01600                          allow ipv6-icmp from me to any keep-state :default
01700                          allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800                          allow udp from any 67 to me 68 in
01900                          allow udp from any 67 to 255.255.255.255 68 in
02000                          allow udp from fe80::/10 to me 546 in
02100                          allow icmp from any to any icmptypes 8
02200                          allow ipv6-icmp from any to any icmp6types 128,129
02300                          allow icmp from any to any icmptypes 3,4,11
02400                          allow ipv6-icmp from any to any icmp6types 3
02500                          allow tcp from any to me 22
02600                          allow tcp from any to me 80
02700                          allow tcp from any to me 443
02800                          allow tcp from any to me 1714-1764
02900                          allow udp from any to me 1714-1764
03000                          allow tcp from any to me 5900
65000 Tue May  4 22:06:43 2021 count ip from any to any
65100 Tue May  4 22:06:08 2021 deny { tcp or udp } from any to any 135-139,445 in
65200                          deny { tcp or udp } from any to any 1026,1027 in
65300                          deny { tcp or udp } from any to any 1433,1434 in
65400 Tue May  4 21:55:29 2021 deny ip from any to 255.255.255.255
65500 Tue May  4 22:06:43 2021 deny ip from any to 224.0.0.0/24 in
65500                          deny udp from any to any 520 in
65500 Tue May  4 22:06:39 2021 deny tcp from any 80,443 to any 1024-65535 in
65500 Tue May  4 22:06:43 2021 deny log logamount 500 ip from any to any
65535                          deny ip from any to any
 

covacat

Aspiring Daemon

Reaction score: 325
Messages: 662

are you sure the fw blocks your ssh ?
if you "ipfw add 1 allow ip from any to any" can you ssh from your phone ?
 

Misirca

New Member

Reaction score: 4
Messages: 17

Hmm this is strange, the ipfw default configuration for workstation should work out of the box.
My config files also look identical to yours 🤔

Can you ssh to your laptop with ipfw turned off?
# service ipfw stop
 

im

Active Member

Reaction score: 46
Messages: 109

If you enabled ipfw logging check your log /var/log/security .
Your rule 65500 "deny log logamount 500 ip from any to any" should write all machted packets to the log.
If firewall log is disabled - try to enable it using sysctl net.inet.ip.fw.verbose=1
It is useful to run ipfw resetlog to reset logging counters, because your rule 65500 limited by 500 logging events.

Another idea is:
ipfw add 10 allow tcp from any to me 22
ipfw add 12 allow tcp from me 22 to any
just check it.
 

facedebouc

Member

Reaction score: 11
Messages: 61

You can try firstly with:
firewall_allowservices=any into your /etc/rc.conf.
Thereafter you can adjust restrictions to IPs you want to.
 
Last edited by a moderator:
OP
H

hotzenplotz

New Member


Messages: 18

Hi all,

Sorry for the late reply. It looks like the issue is my router... thanks for your comments and help.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,744
Messages: 39,332

If you're behind a modem/router (as most people usually are) you will need to add a port forward there. Or else your SSH will never be accessible from the outside world. Make sure all your accounts are in order though, the minute you open this port to the internet you will get a bunch of brute-force attacks on it.
 
OP
H

hotzenplotz

New Member


Messages: 18

Thanks SirDice. I wish I'd be at that stage. It appears my router is doing AP Isolation, even though the setting shows it doesn't.... chatting to TP-Link about this at the moment. Let's see...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,744
Messages: 39,332

Yeah, lots of ISPs try to block access to any of the modem settings. I can't do anything with the cable modem my ISP provides. See if there's an option to set it to "bridging" mode. Then you get a direct connection on your host. But you will need to do things like NAT, DHCP, etc. on this host to provide internet for the rest of your network.
 
Top