From owner-freebsd-questions@FreeBSD.ORG Thu Apr 20 00:28:27 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF0C516A400 for ; Thu, 20 Apr 2006 00:28:27 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from relay04.roc.ny.frontiernet.net (relay04.roc.ny.frontiernet.net [66.133.182.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5783F43D45 for ; Thu, 20 Apr 2006 00:28:27 +0000 (GMT) (envelope-from drew@mykitchentable.net) Received: from blacklamb.mykitchentable.net (67-51-120-146.dsl1.elk.ca.frontiernet.net [67.51.120.146]) by relay04.roc.ny.frontiernet.net (Postfix) with ESMTP id D09A73581F4; Thu, 20 Apr 2006 00:28:25 +0000 (UTC) Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 925DF164952; Wed, 19 Apr 2006 17:28:24 -0700 (PDT) Message-ID: <4446D5A4.8030502@mykitchentable.net> Date: Wed, 19 Apr 2006 17:28:20 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Noah Silverman References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> In-Reply-To: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-2.3.2 (20050629) at filter11.roc.ny.frontiernet.net Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 00:28:27 -0000 On 4/17/2006 2:29 PM Noah Silverman wrote: > Hi, > > I have a system with a 4.11 Kernel. Unless I'm doing something very > wrong, there seems to be something odd with ipfw. > > Take the following rules: I assume above this you have "ipfw add check-state" defined? This is the rule that's required to get ipfw to check its dynamic rule set. Without it, "keep-state" rules will never work. > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > src-addr 2 I think this line is your problem. "setup" matches the initial packet with the syn flag set. However since you have not added "keep-state", no rule gets added to the dynamic rule set for this connection. Subsequent packets don't match because "syn" is not set. Thus they hit rule 499 and are denied. > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being triggered > by an attempted incoming connection. > > Can anybody help? > > Also, would it be better to upgrade to ipfw2?? If so, how do I do that. Add 'ipfw2=TRUE' to /etc/make.conf. Then the next time you build world and kernel, you'll have ipfw2. There's probably a way to just recompile the ipfw part but I've always just done the whole thing. HTH, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, & More! http://www.alchemistswarehouse.com