Date: Fri, 22 Jun 2001 16:01:10 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: Michael Richards <michael@fastmail.ca> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <20010622155557.R22932-100000@mail.wlcg.com> In-Reply-To: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Here is a pair of rules that work: pass in quick on fxp6 proto tcp from any to 192.168.0.0/24 port = 22 flags S keep state keep frags pass out quick on fxp0 proto tcp from any to 192.168.0.0/24 port = 22 keep state fxp6 is my outside interface and fxp0 is my inside interface. I have 5 other inside interfaces, but they all have the same pair of rules, they just have different IP subnets. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 22 Jun 2001, Michael Richards wrote: > > Are you keeping state on the connection? > > Yes, this was the problem with the ssh, but I'm concerned about the > rules to solve the problem I came up with. Here are the rules: > > pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep > state > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 > block in log quick on xl1 proto tcp from any to 216.1.2.3/28 > > As you can see this machine is only allowed to accept connections on > ssh, http and https. Everything else from the outside should be > logged and discarded. > > The trouble here is that I don't need to keep state on anything but > outgoing connections. For example, if I want to wget or ftp a file in > or anything like that. I don't want to keep state on the web > connections as it will probably unnecessarily load the firewall and > not accomplish anything since those connections are permitted. > > Have I done this correctly or botched it? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7M6QJv8Bofna59hYRA+WqAJ9k+oAeA1qL+rJH/yPUmfl1JE2UwQCcDfgS WuxMPllxGrhizHcetlieXdE= =lPT8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010622155557.R22932-100000>