Date: Tue, 30 Sep 2003 16:54:40 +0200 From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) To: echelon <e_chelon@yahoo.com> Cc: Darren Reed <avalon@caligula.anu.edu.au> Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host Message-ID: <xzpzngm9vin.fsf@dwp.des.no> In-Reply-To: <20030930112325.48361.qmail@web41204.mail.yahoo.com> (e_chelon@yahoo.com's message of "Tue, 30 Sep 2003 04:23:25 -0700 (PDT)") References: <20030930112325.48361.qmail@web41204.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
echelon <e_chelon@yahoo.com> writes: > However, I use the following rules for the internal network interface (xl= 1) > > # Group 9000 (internal network interface)=20 > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32= port =3D 23 group 9000 > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32= port =3D 21 group 9000 > pass in quick on xl1 all group 9000 > > With these rules, I believe I should able to ping and SSH the > freebsd box from my internal network no matter the option > IPFILTER_DEFAULT_BLOCK is set or not. You're only letting traffic *in*. You're not letting anything *out*. TCP, like love, is a two-way street. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpzngm9vin.fsf>