From owner-freebsd-security  Thu Sep 12 14:40:34 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2796437B401
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 14:40:31 -0700 (PDT)
Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.97])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A686A43E75
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 14:40:30 -0700 (PDT)
	(envelope-from cswiger@mac.com)
Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225])
	by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g8CLeTmF028057
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 14:40:29 -0700 (PDT)
Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66])
	by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g8CLeTZH015590
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 14:40:29 -0700 (PDT)
Received: from bust ([12.38.161.88]) by asmtp02.mac.com
          (Netscape Messaging Server 4.15) with ESMTP id H2CHJG00.13O for
          <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 14:40:28 -0700 
Date: Thu, 12 Sep 2002 17:40:27 -0400
Subject: Re: ipfw, natd, and keep-state - strange behavior?
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v482)
From: Chuck Swiger <cswiger@mac.com>
To: freebsd-security@FreeBSD.ORG
Content-Transfer-Encoding: 7bit
In-Reply-To: <DA6132B6-C696-11D6-90D4-000A27D85A7E@mac.com>
Message-Id: <40991368-C698-11D6-90D4-000A27D85A7E@mac.com>
X-Mailer: Apple Mail (2.482)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thursday, September 12, 2002, at 05:30  PM, Chuck Swiger wrote:
> Ok.  Here are the equivalent static rules:
>
>    allow tcp from $INET to any 22 setup
>    allow tcp from any 22 to $INET established

Either remove the "setup" keyword, or add the "log" keyword to the first 
line and and this rule as well:

	allow tcp from $INET to any 22 established

...depending on whether or not you want to log SSH connections.

-Chuck

        Chuck Swiger | chuck@codefab.com | All your packets are belong to 
us.
        
-------------+-------------------+-----------------------------------
        "The human race's favorite method for being in control of the facts
         is to ignore them."  -Celia Green


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message