From owner-freebsd-questions@FreeBSD.ORG Thu Mar 11 13:55:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8433716A4CE for ; Thu, 11 Mar 2004 13:55:43 -0800 (PST) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DC3643D31 for ; Thu, 11 Mar 2004 13:55:43 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Thu, 11 Mar 2004 15:56:08 -0600 Message-ID: <4050E05C.2010302@daleco.biz> Date: Thu, 11 Mar 2004 15:55:40 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: whizkid@ValueDJ.com References: <23229.208.253.246.93.1079038697.squirrel@www.ValueDJ.com> <4050DB6B.1050207@daleco.biz> <27211.208.253.246.93.1079041583.squirrel@www.ValueDJ.com> In-Reply-To: <27211.208.253.246.93.1079041583.squirrel@www.ValueDJ.com> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 11 Mar 2004 21:56:08.0656 (UTC) FILETIME=[A8D92500:01C407B3] cc: freebsd-questions@freebsd.org Subject: Re: IPFW problems connecting to port 25! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2004 21:55:43 -0000 whizkid@ValueDJ.com wrote: >[snip] > > >>You do have a rule for established connections? >> >> >>Kevin Kinsey >>DaleCo S.P. >> >> >> >> >you know the only rule i have for that is > >add 60000 deny log tcp from any to any established > >I am assuming this is incorrect? > > > > > Aye, there's the rub. Last rule is usually "deny ip from any to any"; somewhere above that, but after the setup rules is "allow ip from any to my.ip.add.ress established"* ... it does no good to allow the setup packets but no further data.... Kevin Kinsey DaleCo S.P. *instead of "allow ip" this could conceivably be protocol specific, e.g. if you only have tcp services available, "allow tcp from any to {me} established"