Re: IPFILTER_DEFAULT_BLOCK & No route to host
From: Dag-Erling Smørgrav (des_at_des.no)
Date: 09/30/03
- Previous message: Dag-Erling Smørgrav: "Re: FreeBSD-SA-03:15.openssh"
- In reply to: echelon: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Next in thread: Justin: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Reply: Justin: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: echelon <e_chelon@yahoo.com> Date: Tue, 30 Sep 2003 16:54:40 +0200
echelon <e_chelon@yahoo.com> writes:
> However, I use the following rules for the internal network interface (xl1)
>
> # Group 9000 (internal network interface)
> block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 23 group 9000
> block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 21 group 9000
> pass in quick on xl1 all group 9000
>
> With these rules, I believe I should able to ping and SSH the
> freebsd box from my internal network no matter the option
> IPFILTER_DEFAULT_BLOCK is set or not.
You're only letting traffic *in*. You're not letting anything *out*.
TCP, like love, is a two-way street.
DES
-- Dag-Erling Smørgrav - des@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Dag-Erling Smørgrav: "Re: FreeBSD-SA-03:15.openssh"
- In reply to: echelon: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Next in thread: Justin: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Reply: Justin: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
