Re: Security warning with sshd

• Previous message: Ragnar Lonn: "Re: creating ISO for bootable CD"
• In reply to: Pat Maddox: "Re: Security warning with sshd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 24 Aug 2005 10:29:09 +0200
To: Pat Maddox <pergesu@gmail.com>

Pat Maddox <pergesu@gmail.com> wrote:

> Hey guys, thanks for the help so far. I'm going to post this to the
> freebsd-pf list to see if anyone has any ideas...but I'm using PF, and
> here's the config. Hopefully you can take a look and see what the
> problem may be. As I said earlier, I'm not positive why I'm getting
> those errors, but I believe it's because my SSH connection is getting
> cut off whenever I enable the firewall. I've also been looking for a
> way to not be cut off (since it's very annoying), and it seems like
> figuring out and correcting these errors will also fix the second
> problem.

You have to enable the firewall before you use ssh.

A stateful firewall can't know about connections which get setup before the
firewall is started. Since the firewall starts with a clean state, it has to
assume that no connection is valid and blocks every already established
traffic.

So the behavior you see is what you requested from the system by starting the
firewall after starting a ssh session. There's no need to be scared, it's not
a security flaw, but you have to change your expectations.

Bye,
Alexander.

-- 
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137
Don't you feel more like you do now than you did when you came in?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Ragnar Lonn: "Re: creating ISO for bootable CD"
• In reply to: Pat Maddox: "Re: Security warning with sshd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: SSH tunneling/port forwarding and stateful packet inspection ... You wrote, several times, that your "packet showed it was SSL" traffic. ... firewall could not see inside the stream because it was encrypted by SSL, ... connection somewhere in this scenario, so I was making sure you understood ... -- then the answer is of course, no. SSH ... (comp.security.ssh) Re: FC3 Security ... When I said I would eliminate ssh, then they said that they don't ... >>gives out IP addresses and actually owns the network. ... >of services which could be handled by one server and a firewall. ... This is an always-on cellular connection - not ... (Fedora) Re: I am having connectivity problems ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: Serious Security Issue in Windows XP SP2s Firewall ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ... (Focus-Microsoft) Re: SSH port forwarding/tunneling question ... > firewall which filters out incoming ssh, ... > the ssh client being the VNC server, and the ssh server being the ... I'm hoping I can just set up a putty connection at ... (comp.os.linux.networking)