Date: Mon, 17 Apr 2006 17:09:17 -0700 From: Noah Silverman <noah@allresearch.com> To: Chuck Swiger <cswiger@mac.com> Cc: freeBSD List <freebsd-questions@freebsd.org>, David Wolfskill <david@catwhisker.org> Subject: Re: IPFW Problems? Message-ID: <C0E1D1EF-EED0-4C64-A0A2-5C0BC63E4C22@allresearch.com> In-Reply-To: <444427F4.2070405@mac.com> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> <20060417224415.GY32062@bunrab.catwhisker.org> <444427F4.2070405@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I tried it with: "ipfw add 00015 check-state" I still get locked out :( This is the "standard" firewall from the openbsd manual (on the website.) I don't understand why it wouldn't work "as is". Thanks, -N On Apr 17, 2006, at 4:42 PM, Chuck Swiger wrote: > David Wolfskill wrote: >> On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: >>> [ ...redirected to freebsd-questions... ] >> Thanks for doing that! > > It seemed appropriate. :) > > [ ... ] >>> You don't have a check-state rule anywhere, so you either need to >>> add one or a rule to pass established traffic to and from port 22. >> I thought check-state was fairly optional; ref: >> These dynamic rules, which have a limited lifetime, are >> checked at the >> first occurrence of a check-state, keep-state or limit rule, >> and are typ- >> ically used to open the firewall on-demand to legitimate >> traffic only. >> See the STATEFUL FIREWALL and EXAMPLES Sections below for >> more informa- >> tion on the stateful behaviour of ipfw. >> (from "man ipfw" on a 4.11 system). > > Yeah...but a rule like "from any to any 22 out via bge0 setup keep- > state" isn't going to match inbound established traffic, right? > > So the dynamic rule checking doesn't actually fire, so the "add > 00499 deny log all from any to any" rule fires and blocks it. > Doing a "ipfw add 10 check-state" would probably make SSH go for > the original poster... > > -- > -Chuck > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C0E1D1EF-EED0-4C64-A0A2-5C0BC63E4C22>