From owner-freebsd-questions Sun Aug 4 15: 3:54 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D152737B400 for ; Sun, 4 Aug 2002 15:03:50 -0700 (PDT) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9EDE43E4A for ; Sun, 4 Aug 2002 15:03:49 -0700 (PDT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id g74M3hB71304; Sun, 4 Aug 2002 17:03:43 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20020804170342.02c23860@mail.sage-one.net> X-Sender: jackstone@mail.sage-one.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 04 Aug 2002 17:03:42 -0500 To: "Joe Smith" , freebsd-questions@FreeBSD.ORG From: "Jack L. Stone" Subject: Re: IPFW Question In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 03:46 PM 8.4.2002 -0600, Joe Smith wrote: >I am new to IPFW and I was just experimenting with it today and I am running >into a problem. I have a FreeBSD 4.5 machine sitting between the Internet >and my local network. The inside interface on the BSD machine is tx0 and all >my internal machines have IP addresses of 192.168.1.x. When I load this >ruleset my SSH connection gets killed. I am trying to allow SSH connection >from my internal network. Any suggestions? Thanks > ># Suck in the configuration variables. >if [ -z "${source_rc_confs_defined}" ]; then > if [ -r /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > source_rc_confs > elif [ -r /etc/rc.conf ]; then > . /etc/rc.conf > fi >fi > >fwcmd="/sbin/ipfw" > >oif="de0" > >iif="tx0" > >############ ># Flush out the list before we begin. ># >${fwcmd} -f flush > >############ ># Network Address Translation. All packets are passed to natd(8) ># before they encounter your remaining rules. The firewall rules ># will then be run again on each packet after translation by natd ># starting at the rule number following the divert rule. ># >${fwcmd} add 50 divert natd all from any to any via ${natd_interface} > >############ ># Only in rare cases do you want to change these rules ># >${fwcmd} add 100 allow all from any to any via lo0 >${fwcmd} add 200 deny all from any to 127.0.0.0/8 >${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > >#SSH >${fwcmd} add 400 allow tcp from 192.168.1.0/24 22 to any via ${iif} >${fwcmd} add 401 allow udp from 192.168.1.0/24 22 to any via ${iif} > >${fwcmd} add 65000 deny all from any to any > This one rule works for me: ${fwcmd} add pass log tcp from any to any 22 in via ${iif} setup Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message