From owner-freebsd-questions@FreeBSD.ORG Sun Dec 28 08:34:50 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D463E16A4CE for ; Sun, 28 Dec 2003 08:34:50 -0800 (PST) Received: from hotmail.com (bay99-f7.bay99.hotmail.com [65.54.175.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D2C443D41 for ; Sun, 28 Dec 2003 08:34:33 -0800 (PST) (envelope-from the_brothel@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 28 Dec 2003 08:34:33 -0800 Received: from 203.10.111.38 by by99fd.bay99.hotmail.msn.com with HTTP; Sun, 28 Dec 2003 16:34:32 GMT X-Originating-IP: [203.10.111.38] X-Originating-Email: [the_brothel@hotmail.com] X-Sender: the_brothel@hotmail.com From: "Drew Robertson" To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 28 Dec 2003 16:34:33.0038 (UTC) FILETIME=[7931FEE0:01C3CD60] Subject: Re: IPFW Rule set question... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 28 Dec 2003 16:34:50 -0000 X-Original-Date: Sun, 28 Dec 2003 16:34:32 +0000 X-List-Received-Date: Sun, 28 Dec 2003 16:34:50 -0000 Thanks for your reply. I don't understand what you mean when you say NAT modifications... meaning how the packets are changed on the gateway to allow them to be seen as transparent from behind?? When I do a netstat -an while connected remotley it shows the connection on SSH as coming from 203.10.10.38, but when I add a rule to allow everything from that net it still won't allow access... I did add the rule before the divert, but i still couldn't connect until i added an allow all manually... i also tried opening up the ssh port to everyone, with allow tcp from any to me 22 via tl0, but that wouldn't allow a connection either... It's a bit confusing... Thanks again, D >From: Lowell Gilbert >Reply-To: freebsd-questions@freebsd.org >To: "Drew Robertson" >CC: freebsd-questions@freebsd.org >Subject: Re: IPFW Rule set question... >Date: 24 Dec 2003 16:43:49 -0500 > >"Drew Robertson" writes: > > > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it > > is dual homed, 2 NICs one for the internal LAN one running my cable > > modem. Everything works fine on the internal side. > > > > When accessing the box using any of those apps from work, the system > > looks to briefly connect and then returns a "Connection Lost" or > > "Connection closed by remote host error". > > > > The command setup to allow in access is as follows... > > > > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup > > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup > >I assume these are supposed to have "keep-state" in them. >It *is* written that way in the full ruleset you posted lower down. > > > when this didn't work I added another command at the start of the > > ruleset to just let everything in from a particular IP address range... > > > > 202 allow ip from 203.10.10.0/24 to any > > > > however this produced the same error... > > > > It wasn't until I allowed all from any to any that I was able to >connect... > >Then the packets aren't actually being seen as coming from that >address. Maybe you're running into NAT modifications? > > > When checking out the security log, it tells me that rule 820 is > > allowing access to my computer at home... > >But only for SYN packets... > > >-- >Lowell Gilbert, embedded/networking software engineer, Boston area: > resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ > username/password "public" _________________________________________________________________ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp