From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 19:09:55 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC94A16A552 for ; Thu, 6 Apr 2006 19:09:55 +0000 (UTC) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B1D8453BB for ; Thu, 6 Apr 2006 17:06:48 +0000 (GMT) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from frontend2.internal (frontend2.internal [10.202.2.151]) by frontend1.messagingengine.com (Postfix) with ESMTP id 8E238D47460 for ; Thu, 6 Apr 2006 13:06:47 -0400 (EDT) Received: from frontend3.messagingengine.com ([10.202.2.152]) by frontend2.internal (MEProxy); Thu, 06 Apr 2006 13:06:36 -0400 X-Sasl-enc: yNK+ek3af3COEvnTs9Y8bwChntpzEdNNyRPDiRMuEX9h 1144343195 Received: from bb-87-81-140-128.ukonline.co.uk (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by frontend3.messagingengine.com (Postfix) with ESMTP id ED38E2B9C for ; Thu, 6 Apr 2006 13:06:35 -0400 (EDT) From: RW To: freebsd-questions@freebsd.org Date: Thu, 6 Apr 2006 18:06:43 +0100 User-Agent: KMail/1.9.1 References: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com> In-Reply-To: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200604061806.45538.list-freebsd-2004@morbius.sent.com> Subject: Re: ipfw and ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 19:09:56 -0000 On Thursday 06 April 2006 02:50, Anthony M. Agelastos wrote: > Hello everyone, > > Allow me to preface my problem by saying that I am very ignorant when > it comes to networking. I do apologize if this is trivial. In any > event, I enabled the "client" ifpw firewall located in /etc/ > rc.firewall. This appears to work well for my needs... except for one > additional item. I need someone outside of my network to have SSH > access to my machine. I know his/her IP address. So, I have added > some additional items to rc.firewall for this. Here is what I added. > > # Allow person SSH access > mip="xxx.xxx.xxx.xxx" > ${fwcmd} allow tcp from any to any 22 out setup keep-state > ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src- > addr 2 The client script is setup to handle tcp by static rules. If you want to mix static and dynamic tcp rules (ie limits) you will need to add a check-state line before the comment: "Allow TCP through if setup succeeded" otherwise your dynamic rules will never see any established traffic and will timeout. Also there is a static rule already to allow all outgoing tcp connections, so you don't need a stateful one for port 22. However, none of the above should prevent an ssh login. If I were you I'd start with just: ${fwcmd} add pass tcp from any to any ssh setup and work from there. You need to be methodical when troubleshooting firewalls.