From owner-freebsd-security Fri Jun 22 13: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 5217737B406 for ; Fri, 22 Jun 2001 13:01:25 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f5MK1E323794; Fri, 22 Jun 2001 16:01:14 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 22 Jun 2001 16:01:10 -0400 (EDT) From: Rob Simmons To: Michael Richards Cc: Subject: Re: Letting scp through a firewall using ipfilter In-Reply-To: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca> Message-ID: <20010622155557.R22932-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Here is a pair of rules that work: pass in quick on fxp6 proto tcp from any to 192.168.0.0/24 port = 22 flags S keep state keep frags pass out quick on fxp0 proto tcp from any to 192.168.0.0/24 port = 22 keep state fxp6 is my outside interface and fxp0 is my inside interface. I have 5 other inside interfaces, but they all have the same pair of rules, they just have different IP subnets. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 22 Jun 2001, Michael Richards wrote: > > Are you keeping state on the connection? > > Yes, this was the problem with the ssh, but I'm concerned about the > rules to solve the problem I came up with. Here are the rules: > > pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep > state > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 > block in log quick on xl1 proto tcp from any to 216.1.2.3/28 > > As you can see this machine is only allowed to accept connections on > ssh, http and https. Everything else from the outside should be > logged and discarded. > > The trouble here is that I don't need to keep state on anything but > outgoing connections. For example, if I want to wget or ftp a file in > or anything like that. I don't want to keep state on the web > connections as it will probably unnecessarily load the firewall and > not accomplish anything since those connections are permitted. > > Have I done this correctly or botched it? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7M6QJv8Bofna59hYRA+WqAJ9k+oAeA1qL+rJH/yPUmfl1JE2UwQCcDfgS WuxMPllxGrhizHcetlieXdE= =lPT8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message