From owner-freebsd-security Tue Jul 16 19:27:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34EBB37B400; Tue, 16 Jul 2002 19:27:18 -0700 (PDT) Received: from mail5.ec.rr.com (fe5.southeast.rr.com [24.93.67.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EAC243E4A; Tue, 16 Jul 2002 19:27:17 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: from makayla ([66.26.7.34]) by mail5.ec.rr.com with Microsoft SMTPSVC(5.5.1877.757.75); Tue, 16 Jul 2002 21:40:27 -0400 Date: Tue, 16 Jul 2002 21:42:48 -0400 From: Michael Sharp To: freebsd-questions@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Dynamic Rules with IPFW Message-Id: <20020716214248.3fef4af2.freebsd@ec.rr.com> X-Mailer: FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use Dynamic rulesets with IPFW: ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from my-net to any setup keep-state But I also have services I need anyone on the net to get to, without me making a connection first from " my-net ". I allow such services with: allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state This works fine for 25,80, and 443. However, when I apply the same rule for SSH, and login to my box remotely, about 10 minutes later, the connection just dies, and it dies with every connection. Removing the keep-state option for ssh effectively closes 22 obviously. Would check-state be a better option here? Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message