From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 27 08:40:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DABC37B401 for ; Sun, 27 Jul 2003 08:40:54 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id B4F7243F75 for ; Sun, 27 Jul 2003 08:40:53 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 40671 invoked from network); 27 Jul 2003 15:40:50 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 27 Jul 2003 15:40:50 -0000 Message-ID: <3F23F282.5020605@tenebras.com> Date: Sun, 27 Jul 2003 08:40:50 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Darren References: <13347545536.20030726003910@dazdaz.org> In-Reply-To: <13347545536.20030726003910@dazdaz.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: no keep-state and and unpredictable ssh connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 15:40:54 -0000 You may need to fiddle with the default values for these net.inet.ip.fw.dyn_ack_lifetime net.inet.ip.fw.dyn_syn_lifetime net.inet.ip.fw.dyn_fin_lifetime net.inet.ip.fw.dyn_rst_lifetime net.inet.ip.fw.dyn_udp_lifetime net.inet.ip.fw.dyn_short_lifetime and you want /sbin/sysctl net.inet.ip.fw.dyn_keepalive=1 Anyway, try it this way. #!/bin/sh fwcmd="/sbin/ipfw -q" $fwcmd -f flush $fwcmd add allow ip from any to any via lo0 $fwcmd add check-state $fwcmd add deny ip from 127.0.0.8 to any $fwcmd add deny ip from any to 127.0.0.8 $fwcmd add deny tcp from any to any established # antispoofing rules $fwcmd add deny ip from 10.0.0.0/8 to any in recv xl0 $fwcmd add deny ip from 172.16.0.0/12 to any in recv xl0 $fwcmd add deny ip from 192.168.0.0/16 to any in recv xl0 $fwcmd add deny ip from me to any in recv xl0 # some ICMP types you musn't block -- esp. 3 for PMTU, etc. $fwcmd add allow icmp from any to any icmptype 0,3,11 # allow local net traffic $fwcmd add allow ip from $mynet to $mynet # from me to anywhere $fwcmd add allow tcp from me to any setup keep-state $fwcmd add allow udp from me to any keep-state $fwcmd add allow icmp from me to any # Separate rules for SSH and HTTP, etc. $fwcmd add count log logamount 0 tcp from any to me ssh in recv xl0 setup $fwcmd add allow tcp from any to me ssh in recv xl0 keep-state setup $fwcmd add count log logamount 0 tcp from any to me http in recv xl0 setup $fwcmd add allow tcp from any to me http in recv xl0 keep-state setup $fwcmd add deny log logamount 0 ip from any to any