From owner-freebsd-questions@FreeBSD.ORG Sun Jan 18 15:53:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D1D516A4CE for ; Sun, 18 Jan 2004 15:53:20 -0800 (PST) Received: from Vitsch.net (b74143.upc-b.chello.nl [212.83.74.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4057543D2D for ; Sun, 18 Jan 2004 15:53:17 -0800 (PST) (envelope-from Danovitsch@Vitsch.net) Received: from FreeBSD.Danovitsch.LAN (b83007.upc-b.chello.nl [212.83.83.7]) by Vitsch.net (8.12.3p2/8.11.3) with ESMTP id i0INqlXe074047; Mon, 19 Jan 2004 00:52:47 +0100 (CET) (envelope-from Danovitsch@Vitsch.net) Content-Type: text/plain; charset="iso-8859-1" From: "Daan Vreeken [PA4DAN]" To: "Andrew L. Gould" Date: Mon, 19 Jan 2004 00:53:38 +0100 User-Agent: KMail/1.4.3 References: <200401181747.04419.algould@datawok.com> In-Reply-To: <200401181747.04419.algould@datawok.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200401190053.38351.Danovitsch@Vitsch.net> cc: FreeBSD-questions@FreeBSD.org Subject: Re: ipfw rules for letting ssh requests in X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 23:53:20 -0000 On Monday 19 January 2004 00:47, Andrew L. Gould wrote: > I can't seem to get the ipfw rules right for letting ssh clients access= a > ssh server. I can use ssh on the server to connect to the client; but = if I > try to connect from the client to the server, the operation times out. > > I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all= of > the rules as expected. It also shows packets having been allowed at ru= le > 300 after an attempt to connect has been made. > > I have copied the top portion of /etc/ipfw.rules: > > #!/bin/sh > > # Andrew L. Gould's firewall rules. > > fwcmd=3D"/sbin/ipfw -q" > ${fwcmd} -f flush > > > # Basic rules that should not be changed > ${fwcmd} add 00100 pass all from any to any via lo0 > ${fwcmd} add 00110 deny all from any to 127.0.0.0/8 > ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any > > > # Allow specified service requests in > # ssh > ${fwcmd} add 00300 allow tcp from any to me 22 > ${fwcmd} add 00301 allow udp from any to me 22 > > Does anyone have any idea why the operation is timing out or what I hav= e > done wrong? You forgot the packets in the other direction... This should do the trick= : ${fwcmd} add 00300 allow tcp from any to me 22 ${fwcmd} add 00301 allow tcp from me 22 to any grtz, Daan