Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Aug 2006 15:05:32 +0200 (CEST)
From:      Oliver Fromme <olli@lurza.secnetix.de>
To:        freebsd-stable@FreeBSD.ORG, fydernix@gmail.com
Subject:   Re: IPFW rules
Message-ID:  <200608221305.k7MD5WBE099804@lurza.secnetix.de>
In-Reply-To: <c04d7e300608210842u33ec9e86gaa2d98deab69b145@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
SigmaX asdf wrote:
 > I'm trying to setup IPFW to block all ports except those I specify.
 > For starters I'm just opening SSH.
 > 
 > # ipfw list
 > 00050 divert 8668 ip4 from any to any via rl0
 > 00100 allow ip from any to any via lo0
 > 00200 deny ip from any to 127.0.0.0/8
 > 00300 deny ip from 127.0.0.0/8 to any
 > 00301 allow log tcp from any to any dst-port 22
 > 00399 deny ip from any to any
 > 65000 allow ip from any to any
 > 65535 deny ip from any to any
 > 
 > Traffic is still blocked on port 22 -- I can't login via SSH.  What am
 > I doing wrong, and what rule should I be using to allow SSH in and
 > through?

TCP connections are always 2-way (i.e. they require both
ingoing and outgoing packets).  But your rules allow only
one way.  There are three possibilities:

(1)  Sdd a rule "allow log tcp from any to any src-port 22"
     (not very efficient, but works).
(2)  Add "setup" to the dst-port 22 rule and add a rule
     that allows established connections.
(3)  Use "keep-state".

See the ipfw(8) manual page for details.  You should also
read a good book on TCP/IP and packet filter configuration.

By the way, you probably should also allow name server
traffic (port 53, UDP and TCP) and ICMP packets.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"That's what I love about GUIs: They make simple tasks easier,
and complex tasks impossible."
        -- John William Chambless

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608221305.k7MD5WBE099804>