From owner-freebsd-security Fri Jun 22 22: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 236EF37B401 for ; Fri, 22 Jun 2001 22:07:49 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.142.199.Dial1.SanJose1.Level3.net [209.247.142.199]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id WAA16974; Fri, 22 Jun 2001 22:07:46 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.3/8.11.3) id f5N596M02378; Fri, 22 Jun 2001 22:09:06 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Jun 2001 22:09:05 -0700 From: "Crist J. Clark" To: Michael Richards Cc: rsimmons@wlcg.com, freebsd-security@FreeBSD.ORG Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <20010622220905.B2061@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>; from michael@fastmail.ca on Fri, Jun 22, 2001 at 03:52:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 22, 2001 at 03:52:02PM -0400, Michael Richards wrote: > > Are you keeping state on the connection? > > Yes, this was the problem with the ssh, but I'm concerned about the > rules to solve the problem I came up with. Here are the rules: > > pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep > state > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 > block in log quick on xl1 proto tcp from any to 216.1.2.3/28 This is not your complete ruleset. I wonder if something is happening before you reach that keep state rule. Also, the log of the dropped packet we saw was a RST packet. The connection looked like it was having problems without the firewall getting in the way. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message