Re: IPFW Problems?



--- Noah Silverman <noah@xxxxxxxxxxxxxxx> wrote:
Take the following rules:
ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-
state
ipfw add 00299 deny log all from any to any out via bge0
ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
src-addr 2
ipfw add 00499 deny log all from any to any in via bge0

I think rule 430 needs a keep-state, because u do not have a rule, that allows
out-going ssh packets for established tcp connections.

In addition to the before-mentioned "check-state" in the beginning u would need
a "keep-state" in rule 430...

When I install this firewall configuration, I'm locked out of the
box. An inspection of the logs shows that rule 499 is being
triggered by an attempted incoming connection.

Hmm... That's strange... What about rule 299? There should be something about
rule 299 in the logs... Maybe I am wrong...


-Arne


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"