From owner-freebsd-questions Wed Sep 18 13:56:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C41A937B401 for ; Wed, 18 Sep 2002 13:56:40 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49D5143E65 for ; Wed, 18 Sep 2002 13:56:40 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with SMTP id <0H2N00CMOJIFL4@mtaout02.icomcast.net> for questions@freebsd.org; Wed, 18 Sep 2002 16:56:40 -0400 (EDT) Date: Wed, 18 Sep 2002 16:56:32 -0400 From: dfolkins Subject: Re: ipfw rulesets To: Incoming Mail List , questions@freebsd.org Message-id: <001001c25f55$de3b91e0$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <200209181813.OAA10044@whoweb.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: "Incoming Mail List" To: Sent: Wednesday, September 18, 2002 2:13 PM Subject: ipfw rulesets > > Can anyone tell me why the following ruleset does NOT allow telnet sessions? > > allow tcp from any to any 23 > > The only way I can get it to work is by adding, > > allow tcp from any to any established > > Isn't the format of the first rule supposed to allow incoming and outgoing > packets on port 23? no. sorry to disappoint. :) what the first rule says is "allow packets FROM any host [any port assumed] TO any host port 23]." that is all very nice. however, a telnet session consists of two types of packets in this respect. first, the outgoing packets from the client, which are exactly what the rule above allows, and second are the response packets from the server, and it is those that the first rule ignores. a return packet is like this "FROM any port 23 TO any host [certain port range]". notice that this return packet is not going to be let through by the firewall, and therefore you will not be able to get the telnet session going. what your second rule (the one with "established" in it) does, is, it allows all packets to go through which have the "ack" bit set (established simply means 'check to see if the ack bit is set in the packet'). since all tcp packet responses from the telnet server will have the ack bit set, the responses from the server (the ones that the first rule does not allow), will be allowed by the second rule. as an aside, if you want the first rule to allow incoming and outgoing, you wanna add "keep-state" to your rule, like this: allow tcp from any to any 23 keep-state or better yet allow tcp from any to any 23 out keep-state but this is a whole other can of worms. for more detail, you could always do a "man ipfw". -- dfolkins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message