Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Dec 2001 17:17:34 -0800
From:      "Crist J . Clark" <cjc@FreeBSD.ORG>
To:        Didier Rwitura <drwitura@primus.ca>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: IPFW with SSH
Message-ID:  <20011205171734.L3061@blossom.cjclark.org>
In-Reply-To: <Pine.LNX.4.30.0112051944490.15244-100000@staffshell.primus.ca>; from drwitura@primus.ca on Wed, Dec 05, 2001 at 07:46:57PM -0500
References:  <Pine.LNX.4.30.0112051944490.15244-100000@staffshell.primus.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Dec 05, 2001 at 07:46:57PM -0500, Didier Rwitura wrote:
> 
> 
>  .. can u guys help me with opening ssh port 22 using
> ipfw (I can conect to other hosts without  any
> problem  but can not access my box from outsite ...
> here are all my ruleset file
> 
> 
> #from man 8 ipfw: allow only outbound TCP connections I've created
> #allow ssh
> add 00300 check-state
> add 00301 allow tcp from any to any  in established
> add 00302 allow tcp from  any ssh to any out setup keep-state
> add 00304 allow tcp from any  to  any ssh in
> add 00305 allow tcp from any to any  out setup keep-state

Rules 300 and 301 are an odd pair. Not much point in bothering with
keep-state rules if you have rule 301. Also, unless it is for usage
statistics, there is no reason for rule 302 in light of 305. Not to
mention the fact that I doubt 302 is ever triggered; a SYN with a
source of 22?

I believe your problem is that you can't establish SSH sessions since
you are not letting your SYN-ACK response back out. How about
replacing all of those with,

  300 add allow tcp from any to any ssh in  setup keep-state
  310 add allow tcp from any to any     out setup keep-state

-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205171734.L3061>