Date: Sat, 14 Feb 2004 13:15:07 -0600 From: Eric F Crist <ecrist@adtechintegrated.com> To: freebsd-questions@freebsd.org Cc: Barbish3@adelphia.net Subject: Re: IPFW ruleset not working... advice? WAS Re: Running processes... Message-ID: <200402141315.13710.ecrist@adtechintegrated.com> In-Reply-To: <20040214185845.GA66227@falcon.midgard.homeip.net> References: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net> <200402141247.13325.ecrist@adtechintegrated.com> <20040214185845.GA66227@falcon.midgard.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_BPnLAAG7Q65O853 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote: > On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: > > Hello all, > > > > I've got the following ruleset, but I can't ssh into my server anymore.= =20 > > What did I miss? > > You missed allowing IP packets going from your server to the outside. > You only allow packets from the outside to you. > > I also think you might have misplaced the port numbers. > As it is you allow connections *from* port 25 (etc.) on the outside to > any port on your machine. I believe you want it the other way around > (i.e. allowing connections *to* port 25 on your machine from anywhere on > the outside.) > > > grog# ipfw show > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 7 1562 allow ip from 1.2.3.4/29 to me > > 00500 0 0 allow ip from any 22 to me > > 00600 0 0 allow ip from any 21 to me > > 00700 0 0 allow ip from any 25 to me > > 00800 0 0 allow ip from any 80 to me > > 00900 0 0 allow ip from any 443 to me > > 01000 0 0 allow ip from any 110 to me > > 01100 0 0 allow ip from any 53 to me > > 01200 0 0 allow ip from any 6667 to me > > 01300 0 0 allow ip from any 6668 to me > > 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me > > 65535 101 13960 deny ip from any to any > > > > Thanks. > > > > -- > > Eric F Crist > > AdTech Integrated Systems, Inc > > (612) 998-3588 Hey, thanks! I changed all the rules so they read: allow ip from any to me <port> and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make thi= s=20 system even tighter? Thanks. =2D-=20 Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 --Boundary-02=_BPnLAAG7Q65O853 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBALnPBzdyDbTMRQIYRAsb/AJ9mw5XjnflOjiqTq23dvrgkjh9E3ACghpyS fivuiZXXKFIR6AcMBCGAwq8= =2eZn -----END PGP SIGNATURE----- --Boundary-02=_BPnLAAG7Q65O853--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402141315.13710.ecrist>