IPFW 设置允许受信任的客户端连接到 Mac(例如通过 ssh)

IPFW 设置允许受信任的客户端连接到 Mac(例如通过 ssh)

我的 Mac OS X 10.4 Tiger 上有以下 ipfw 设置:

00100 allow ip from any to 123.123.123.123
00110 allow tcp from any to 123.123.123.123
00120 allow udp from any to 123.123.123.123
00130 allow ip from 123.123.123.123 to any
00140 allow tcp from 123.123.123.123 to any
00150 allow udp from 123.123.123.123 to any
65534 deny ip from any to any
65535 allow ip from any to any

我尝试从 IP 地址为 123.123.123.123 的 Linux 计算机通过 ssh 连接到 Mac,并且 sshd 正在 Mac 上运行。但是,ssh 客户端输出以下内容:

ssh [email protected] -v

OpenSSH_5.5p1, OpenSSL 1.0.0d-fips 8 Feb 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to mac.example.com [10.10.10.10] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type -1
debug1: identity file /home/me/.ssh/id_rsa-cert type -1
debug1: identity file /home/me/.ssh/id_dsa type -1
debug1: identity file /home/me/.ssh/id_dsa-cert type -1
ssh_exchange_identification: Connection closed by remote host

什么原因会导致 Mac 在要求输入密码之前突然关闭连接?

我相信这与 IPFW 设置有关,因为当我仅使用65535 allow ip from any to anyIPFW 设置时,ssh 就可以正常工作。例如,我需要一条反向 DNS 查找规则吗?

答案1

ip首先,如果您一开始就允许所有连接,则无需指定 tcp 和 udp 。此外,通常更容易以allow ip from me to any允许所有出站连接作为规则的开始。

尝试一下这个规则集,看看会发生什么:

00100 allow ip from me to any
00200 allow ip from 123.123.123.123 to me ssh
01000 allow icmp from any to any
01001 allow igmp from any to any
65534 deny ip from any to any

改进的状态版本:

00060 check-state
00100 allow ip from me to any keep-state
00200 allow ip from 123.123.123.123 to me ssh setup keep-state
01000 allow icmp from any to any
01001 allow igmp from any to any
65534 deny ip from any to any

相关内容