Date: Fri, 22 Jun 2001 22:09:05 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Michael Richards <michael@fastmail.ca> Cc: rsimmons@wlcg.com, freebsd-security@FreeBSD.ORG Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <20010622220905.B2061@blossom.cjclark.org> In-Reply-To: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>; from michael@fastmail.ca on Fri, Jun 22, 2001 at 03:52:02PM -0400 References: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 22, 2001 at 03:52:02PM -0400, Michael Richards wrote: > > Are you keeping state on the connection? > > Yes, this was the problem with the ssh, but I'm concerned about the > rules to solve the problem I came up with. Here are the rules: > > pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep > state > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 > block in log quick on xl1 proto tcp from any to 216.1.2.3/28 This is not your complete ruleset. I wonder if something is happening before you reach that keep state rule. Also, the log of the dropped packet we saw was a RST packet. The connection looked like it was having problems without the firewall getting in the way. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010622220905.B2061>