Re: IPFW: Blocking me out. How to debug?
- From: "Matt Piechota" <piechota@xxxxxxxxxxx>
- Date: Thu, 20 Dec 2007 12:50:16 -0500 (EST)
On Thu, December 20, 2007 1:39 am, W. D. wrote:
I'm no expert on firewalls, so take this with a grain of salt.
# Loopback:Nope.
# Allow anything on the local loopback:
add allow all from any to any via lo0
add deny ip from any to 127.0.0.0/8
add deny ip from 127.0.0.0/8 to any
# Allow established connections:Nope.
add allow tcp from any to any established
# Deny fragmented packets:
add deny ip from any to any frag
Perhaps this is the issue? I would think that if an IP fragment comes in,
it's specifically *not* an established TCP connection (yet), so it would
be blocked by this rule. No IP fragments means they don't have a chance
to be reassembled into an actual packet.
All the profiles in rc.firewall specifically allow ip frags, so I'd think
they're required.
Could anyone please throw this tired dog a bone?
Fetch! :)
--
Matt Piechota
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- IPFW compiled in kernel: Where is it reading the config?
- From: W. D.
- Re: IPFW compiled in kernel: Where is it reading the config?
- From: Gary Palmer
- Re: IPFW compiled in kernel: Where is it reading the config?
- From: W. D.
- IPFW: Blocking me out. How to debug?
- From: W. D.
- Re: IPFW: Blocking me out. How to debug?
- From: Tuomo Latto
- Re: IPFW: Blocking me out. How to debug?
- From: W. D.
- IPFW compiled in kernel: Where is it reading the config?
- Prev by Date: Re: IPFW: Blocking me out. How to debug?
- Next by Date: Re: IPFW: Blocking me out. How to debug?
- Previous by thread: Re: IPFW: Blocking me out. How to debug?
- Next by thread: Re: IPFW: Blocking me out. How to debug?
- Index(es):
Relevant Pages
|
