From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 02:27:47 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E540216A423 for ; Thu, 6 Apr 2006 02:27:46 +0000 (UTC) (envelope-from iqgrande@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6391343D46 for ; Thu, 6 Apr 2006 02:27:46 +0000 (GMT) (envelope-from iqgrande@gmail.com) Received: by wproxy.gmail.com with SMTP id 55so50289wri for ; Wed, 05 Apr 2006 19:27:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=FkO0fd+h0cg0ddt9NZKGQSsclccAYM3XMcTJZEEY7bCILaK6VmK0X6DfNlKv1nBAhHLxchT5Fq+vPBxbWUPljfHopYhOqrA/46+Wfv+iWZqtXwhX8+k4VM9jYWfeRpTjxm52bGlJRU7jQWtIJpQjIjJHwV+0jxQ3X1tIdB+9h1E= Received: by 10.54.95.15 with SMTP id s15mr401167wrb; Wed, 05 Apr 2006 19:27:45 -0700 (PDT) Received: from ?192.168.0.5? ( [67.191.187.35]) by mx.gmail.com with ESMTP id 15sm125056wrl.2006.04.05.19.27.45; Wed, 05 Apr 2006 19:27:45 -0700 (PDT) In-Reply-To: <200604052208.08520.ean@istop.com> References: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com> <200604052208.08520.ean@istop.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <67DDE7FA-3DCD-4076-8DE2-51B21730AD87@gmail.com> Content-Transfer-Encoding: 7bit From: "Anthony M. Agelastos" Date: Wed, 5 Apr 2006 22:27:44 -0400 To: Ean Kingston X-Mailer: Apple Mail (2.749.3) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 02:27:47 -0000 Thank you for your very prompt reply. I tried your suggestion and it didn't work. I do not know why. Is the location where I place this in the client profile important? I have also tried the person's actual IP address as well as the IP address of the router (just in case it is not doing something weird) to no avail. What is the easiest way of making changes to the firewall rules and applying them so I do not have to reboot each time? I assume a kldunload ipfw.ko and then a kldload ipfw.ko should do it, but I don't want to risk doing something incorrect while I am trying to debug my current problem. On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote: > You neglected to include the 'add' in your first fwcmd. > > You may want to try something simple to start with. I haven't used > ipfw in a > while so hopefully my syntax is still good. Here is a simple > starting point: > > # Allow person SSH access > mip="xxx.xxx.xxx.xxx" # IP Address of person > ${fwcmd} add allow tcp from ${mip} to me 22 in # allow connection > to ssh > ${fwcmd} add allow tcp from me 22 to ${mip} out # allow me to respond > > I think all you really need is this: > > # Allow setup of incoming ssh > ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup > > Since the rest of it should be taken care of by the rest of the > 'client' ipfw > setup. > > On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote: >> Hello everyone, >> >> Allow me to preface my problem by saying that I am very ignorant when >> it comes to networking. I do apologize if this is trivial. In any >> event, I enabled the "client" ifpw firewall located in /etc/ >> rc.firewall. This appears to work well for my needs... except for one >> additional item. I need someone outside of my network to have SSH >> access to my machine. I know his/her IP address. So, I have added >> some additional items to rc.firewall for this. Here is what I added. >> >> # Allow person SSH access >> mip="xxx.xxx.xxx.xxx" >> ${fwcmd} allow tcp from any to any 22 out setup keep-state >> ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- >> addr 2 >> >> I have tried many, many differing variations of this from items I >> have found online. I cannot get any of them to work. My network setup >> is as follows >> >> internet -> cable modem -> netgear router -> freebsd 6.1-prerelease >> >> This user can SSH into my machine when I set the firewall to "open". >> Any ideas? >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > -- > Ean Kingston, BSc, CISSP, ARO > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org"