trying to reload firewall rules through ssh and from remote box

trying to reload firewall rules through ssh and from remote box

Post by JimJi » Tue, 10 Sep 2002 11:06:22



Hi everybody,

    I'm using ssh to connect from my box (being in the intranet) to the box
that we are using as a router (natd) for our network. I changed the firewall
rules on the box acting as a router and I tried to reload the new ones by
giving on the command prompt of my ssh:  ipfw -f flush && sh
/etc/rc.firewall   &
        The problem is that I get disconnected and even if I try to connect
again, it is not possible!! I'm going upstairs (very far away..) to see what
is going on and I realize that while the rules were flushed , the second
part of my command to run /etc/rc.firewall was not executed (thus deny any
to any). I also made a file "firerestart" and I put inside:
flush -f flush
sh /etc/rc.firewall
I then tried to run in like firerestart &   but again the same. I cant
figure out why is it!!!
Note that when I run sh firerestart from the box-router's command prompt
everything is fine.

thx in advance

 
 
 

trying to reload firewall rules through ssh and from remote box

Post by John Nielse » Tue, 10 Sep 2002 11:26:45



> Hi everybody,

>     I'm using ssh to connect from my box (being in the intranet) to the
> box that we are using as a router (natd) for our network. I changed the
> firewall rules on the box acting as a router and I tried to reload the
> new ones by giving on the command prompt of my ssh:  ipfw -f flush && sh
> /etc/rc.firewall   &
>         The problem is that I get disconnected and even if I try to
> connect again, it is not possible!! I'm going upstairs (very far away..)
> to see what is going on and I realize that while the rules were flushed ,
> the second part of my command to run /etc/rc.firewall was not executed
> (thus deny any to any). I also made a file "firerestart" and I put inside:
> flush -f flush
> sh /etc/rc.firewall
> I then tried to run in like firerestart &   but again the same. I cant
> figure out why is it!!!
> Note that when I run sh firerestart from the box-router's command prompt
> everything is fine.

> thx in advance

You have to be very careful when reloading firewall rules remotely.  What I
do that usually works is put rules to allow my ssh connection(s) at the top
of my rules file, right after the flush statement.  Then I can usually run
"ipfw -q /etc/ipfw.conf" without getting disconnected.  The -q is important.
Even this method is risky, though.  To be really sure that your new ruleset
gets loaded (and loaded completely) you should either reboot the machine
(assuming the rules are loaded at startup) or write a script and call it
using cron(8) or at(1).

JN

--
Remove pig-latin to reply by e-mail

 
 
 

trying to reload firewall rules through ssh and from remote box

Post by JimJi » Tue, 10 Sep 2002 13:36:27


Quote:> You have to be very careful when reloading firewall rules remotely.  What
I
> do that usually works is put rules to allow my ssh connection(s) at the
top
> of my rules file, right after the flush statement.  Then I can usually run
> "ipfw -q /etc/ipfw.conf" without getting disconnected.  The -q is
important.
> Even this method is risky, though.  To be really sure that your new
ruleset
> gets loaded (and loaded completely) you should either reboot the machine
> (assuming the rules are loaded at startup) or write a script and call it
> using cron(8) or at(1).

> JN

hmm...
1. I mentioned at my first post that when I was  running ipfw -f flush &&
sh /etc/rc.firewall   &
or   ./firerestart  &        through my ssh's session, I was running it at
the background ( Note the &). That means that even if my ssh session was to
die (because of the new ipfw rules), killing the shell as well, the command
issued should run in the back, so run eventually. That means that I could be
able to ssh to the box later. The problem is that the command was never
executed!! Does anybody has an answer to this??

2. The other funny thing is that I run:      ipfw -q  /etc/rc.firewall
,even and on the console's prompt (not ssh's session) , but I ve got the
message:
            ipfw: error: bad arguments
            usage: ipfw [options]
            [pipe] flush
            add [number] rule
            [pipe] delete number ...
followed by 40 more lines explaining how I m supposed to run the ipfw. Note
that I made  rc.firewall  executable (chmod). Why do you think I can't run
it the command ipfw -q  /etc/rc.firewall ??

thanx in advance

 
 
 

trying to reload firewall rules through ssh and from remote box

Post by Dr Cla » Tue, 10 Sep 2002 22:28:17


When u use the /etc/ipfw.conf option, the ruleset has to be listed as
follows :

<excerpt from my rules.fw file, invoked using ipfw -q  /etc/rules.fw & >

flush

#deny specific internal network stuff (RFC1918)
add deny log all from any to 172.16.0.0:255.240.0.0 via ed0
add deny log all from any to 10.0.0.0:255.0.0.0 via ed0
#add deny log all from any to 192.168.0.0:255.255.0.0 via ed0

#Other half of pipe stuff
add pipe 1 ip from 10.0.0.3 to any out xmit ed0

<end snip>

IE instead of adding rules to the firewall using $ipfw add blah blah u just
list the raw rules.

I also load my rules using this line in rc.conf if it helps at all :

<rc.conf>
firewall_enable="YES"
firewall_type="/etc/rules.fw"
firewall_quiet="YES"
<end snip>

Hope this helps


Quote:> > You have to be very careful when reloading firewall rules remotely.
What
> I
> > do that usually works is put rules to allow my ssh connection(s) at the
> top
> > of my rules file, right after the flush statement.  Then I can usually
run
> > "ipfw -q /etc/ipfw.conf" without getting disconnected.  The -q is
> important.
> > Even this method is risky, though.  To be really sure that your new
> ruleset
> > gets loaded (and loaded completely) you should either reboot the machine
> > (assuming the rules are loaded at startup) or write a script and call it
> > using cron(8) or at(1).

> > JN

> hmm...
> 1. I mentioned at my first post that when I was  running ipfw -f flush &&
> sh /etc/rc.firewall   &
> or   ./firerestart  &        through my ssh's session, I was running it at
> the background ( Note the &). That means that even if my ssh session was
to
> die (because of the new ipfw rules), killing the shell as well, the
command
> issued should run in the back, so run eventually. That means that I could
be
> able to ssh to the box later. The problem is that the command was never
> executed!! Does anybody has an answer to this??

> 2. The other funny thing is that I run:      ipfw -q  /etc/rc.firewall
> ,even and on the console's prompt (not ssh's session) , but I ve got the
> message:
>             ipfw: error: bad arguments
>             usage: ipfw [options]
>             [pipe] flush
>             add [number] rule
>             [pipe] delete number ...
> followed by 40 more lines explaining how I m supposed to run the ipfw.
Note
> that I made  rc.firewall  executable (chmod). Why do you think I can't run
> it the command ipfw -q  /etc/rc.firewall ??

> thanx in advance

 
 
 

trying to reload firewall rules through ssh and from remote box

Post by John Nielse » Tue, 10 Sep 2002 22:39:26



>> You have to be very careful when reloading firewall rules remotely.
>> What I do that usually works is put rules to allow my ssh connection(s)
>> at the top of my rules file, right after the flush statement.  Then I
>> can usually run "ipfw -q /etc/ipfw.conf" without getting disconnected.
>> The -q is important. Even this method is risky, though.  To be really
>> sure that your new ruleset gets loaded (and loaded completely) you
>> should either reboot the machine (assuming the rules are loaded at
>> startup) or write a script and call it using cron(8) or at(1).

>> JN

> hmm...
> 1. I mentioned at my first post that when I was  running ipfw -f flush &&
> sh /etc/rc.firewall   &
> or   ./firerestart  &        through my ssh's session, I was running it at
> the background ( Note the &). That means that even if my ssh session was
> to die (because of the new ipfw rules), killing the shell as well, the
> command issued should run in the back, so run eventually. That means that
> I could be able to ssh to the box later. The problem is that the command
> was never executed!! Does anybody has an answer to this??

I'm not sure on this one, but if I had to guess I'd say that your connection
is being reset, your login shell is being killed, and so is your script,
despite the fact that it's in the background.  Look at the manpage for your
shell and see if "nohup" might be any help to you here.

Quote:> 2. The other funny thing is that I run:      ipfw -q  /etc/rc.firewall
> ,even and on the console's prompt (not ssh's session) , but I ve got the
> message:
>             ipfw: error: bad arguments
>             usage: ipfw [options]
>             [pipe] flush
>             add [number] rule
>             [pipe] delete number ...
> followed by 40 more lines explaining how I m supposed to run the ipfw.
> Note that I made  rc.firewall  executable (chmod). Why do you think I
> can't run it the command ipfw -q  /etc/rc.firewall ??

My mistake--I should have been more clear.  I have one file that's my actual
firewall _script_ (and it gets pointed to by rc.conf), and another file that
contains my firewall _rules_.  The script is dead-simple:
  #!/bin/sh
  /sbin/ipfw -q /etc/ipfw.conf

The other file (in my case /etc/ipfw.conf) is where all the fancy stuff
occurs.  It is not a script, but rather a rules file.  From the ipfw(8)
manpage:
  "To ease configuration, rules can be put into a file which is processed
using ipfw as shown in the first synopsis line.  An absolute pathname must
be used.  The file will be read line by line and applied as arguments to the
ipfw utility".

The other way to load rules (which seems to be what you are doing) is to
create a script that calls ipfw(8) for each rule.  An advantage to this
approach is that you can use the variables and control structures allowed by
your shell.  I prefer to use a rules file because for me it's less hassle
and seems more intuitive.

JN

--
Remove pig-latin to reply by e-mail

 
 
 

trying to reload firewall rules through ssh and from remote box

Post by JimJi » Wed, 11 Sep 2002 02:01:39


        ohh yes. You were both right. When I was running ipfw -q
/etc/rc.firewall ,the systax of the file was not right (I was not just
providing  the arguments to ipfw ).
        As far as why even when I was putting my command to run into the
background , it was not executed, it was because bash, that I' m using,
hasn't the nohup inbuilt. When I run nohup /etc/rc.firewall & I had no
problems (thanks John).

thx guys.

 
 
 

trying to reload firewall rules through ssh and from remote box

Post by Jamie Jone » Sun, 22 Sep 2002 01:06:10


On Mon, 09 Sep 2002 17:01:39 GMT,

         wrote in newsgroup comp.unix.bsd.freebsd.misc:

Quote:>         As far as why even when I was putting my command to run into the
> background , it was not executed, it was because bash, that I' m using,
> hasn't the nohup inbuilt. When I run nohup /etc/rc.firewall & I had no
> problems (thanks John).

For things like this, I find "screen" (in the ports) invaluable. Amongst
other things, it creates a terminal session that carries on going if the
connection drops -- you just login again, and reconnect. It redraws the screen,
and you can even set a long scrollback buffer, so you don't miss anything,
like error messages etc.

So you run screen, then run the command as a normal foreground command,
.. if you disconnect (either intentionally or unitentionally), just come back
at any time, and reconnect.

--
Jamie Jones, Gower, South Wales, UK.   http://www.bishopston.com/jamie/
---- 96 days to Christmas!        Word of the day: "counterdifficulty"
----- "I'm not big, and I'm not clever - and I'm definitely not funny."
------- The valid reply address on this posting expires in 7 days time.

 
 
 

1. Firewall rules problem for ssh

Hi,

I'm not able to connect to my ssh server when my firewall is up.
Everythings are denied by default but I've added rules to allow http,
https, DNS and ssh. The first tree seems to work fine but not ssh.
communications:
Here are the rules (
ipchains -A INPUT -s 0/0 -d $MYIP-dport 20 -j ACCEPT
ipchains -A OUTPUT -s 0/0 -d $MYIP-dport 20 -j ACCEPT
ipchains -A INPUT -s $MYIP -d 0/0 -j ACCEPT
ipchains -A OUTPUT -s $MYIP -d 0/0 -j ACCEPT

Running RH7.1 with iptables

Does anybody have an idea of the way to setup the rules properly for ssh?

Thanks for any help

Dan

2. Solaris X86 - Win95 - OS/2

3. firewall rules problem for ssh...

4. database on SCO OpenServer 5.0.4

5. Firewall rules problems for ssh

6. printing Man pages?

7. firewall rule to let ssh access the server??

8. Pilot Sync doesn't work after Evolutino 1.2 Upgrade

9. XHOST display on remote host thru firewall

10. remote X get thru NAT box?

11. Need a few pointers please, trying to come to grips with ipfw Firewall rules.

12. How to do Printing Acct. w/ Remote Printers thru gator/shiva boxes?

13. IPCHAINS rules to make Linux firewall box "invisible"