From owner-freebsd-security Fri Jun 22 12:52:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 1D39637B407 for ; Fri, 22 Jun 2001 12:52:39 -0700 (PDT) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 249DC21C2; Fri, 22 Jun 2001 15:52:02 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_QIKCM80S4VAOO49D7TH0" To: rsimmons@wlcg.com Subject: Re: Letting scp through a firewall using ipfilter Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Fri, 22 Jun 2001 15:52:02 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_QIKCM80S4VAOO49D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit > Are you keeping state on the connection? Yes, this was the problem with the ssh, but I'm concerned about the rules to solve the problem I came up with. Here are the rules: pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep state pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 block in log quick on xl1 proto tcp from any to 216.1.2.3/28 As you can see this machine is only allowed to accept connections on ssh, http and https. Everything else from the outside should be logged and discarded. The trouble here is that I don't need to keep state on anything but outgoing connections. For example, if I want to wget or ftp a file in or anything like that. I don't want to keep state on the web connections as it will probably unnecessarily load the firewall and not accomplish anything since those connections are permitted. Have I done this correctly or botched it? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_QIKCM80S4VAOO49D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message