Date: Mon, 21 Aug 2006 13:15:05 -0400 From: Michael Proto <mike@jellydonut.org> To: SigmaX asdf <fydernix@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: IPFW rules Message-ID: <44E9EA19.5040509@jellydonut.org> In-Reply-To: <c04d7e300608210842u33ec9e86gaa2d98deab69b145@mail.gmail.com> References: <c04d7e300608210842u33ec9e86gaa2d98deab69b145@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
SigmaX asdf wrote: > I'm trying to setup IPFW to block all ports except those I specify. > For starters I'm just opening SSH. > > # ipfw list > 00050 divert 8668 ip4 from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00301 allow log tcp from any to any dst-port 22 > 00399 deny ip from any to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > Traffic is still blocked on port 22 -- I can't login via SSH. What am > I doing wrong, and what rule should I be using to allow SSH in and > through? > You need to allow the return traffic. Either something like: ipfw add 1 allow tcp from any to any established or: ipfw add 1 check-state and change your port 22 rule to read ipfw allow log tcp from any to any port 22 keep-state (check the ipfw(8) man page to be sure, I haven't touched ipfw rules in a long time and my above syntax may be a bit buggy) -Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44E9EA19.5040509>