Re: IPFW Problems?



--- Noah Silverman <noah@xxxxxxxxxxxxxxx> wrote:
Take the following rules:
ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-
state
ipfw add 00299 deny log all from any to any out via bge0
ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
src-addr 2
ipfw add 00499 deny log all from any to any in via bge0

I think rule 430 needs a keep-state, because u do not have a rule, that allows
out-going ssh packets for established tcp connections.

In addition to the before-mentioned "check-state" in the beginning u would need
a "keep-state" in rule 430...

When I install this firewall configuration, I'm locked out of the
box. An inspection of the logs shows that rule 499 is being
triggered by an attempted incoming connection.

Hmm... That's strange... What about rule 299? There should be something about
rule 299 in the logs... Maybe I am wrong...


-Arne


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: IPFW Problems
    ... there seems to be something odd with ipfw. ... ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ... ipfw add 00299 deny log all from any to any out via bge0 ... ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit ...
    (freebsd-questions)
  • Re: too many dynamic rules
    ... I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, ... > add 00202 deny log all from any to 10.0.0.0/8 ... > add 00600 allow icmp from any to any icmptypes 3 ...
    (FreeBSD-Security)
  • Re: Whats the point of not allowing all outgoing traffic by default?
    ... Outbound traffic is normally disallowed by default, and you have to setup an explicit rule that you want it. ... ipfw add 3 deny log ip from any to me out ... ipfw add 9 deny log tcp from me to any smtp out ...
    (comp.security.firewalls)
  • Re: ipfw subnetting
    ... ipfw add allow ip from any to any via lo0 ... ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if ... ipfw add check-state ...
    (freebsd-questions)
  • Re: IPFW Problems
    ... I doing this over an SSH connection, ... there seems to be something odd with ipfw. ... ipfw add 00299 deny log all from any to any out via bge0 ... ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit ...
    (freebsd-questions)