From owner-freebsd-stable@FreeBSD.ORG Tue Aug 22 13:05:41 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C51C16A4DF for ; Tue, 22 Aug 2006 13:05:41 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A537543D49 for ; Tue, 22 Aug 2006 13:05:40 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (bczgzu@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k7MD5Xl0099805; Tue, 22 Aug 2006 15:05:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k7MD5WBE099804; Tue, 22 Aug 2006 15:05:32 +0200 (CEST) (envelope-from olli) Date: Tue, 22 Aug 2006 15:05:32 +0200 (CEST) Message-Id: <200608221305.k7MD5WBE099804@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, fydernix@gmail.com In-Reply-To: X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 22 Aug 2006 15:05:39 +0200 (CEST) Cc: Subject: Re: IPFW rules X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, fydernix@gmail.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 13:05:41 -0000 SigmaX asdf wrote: > I'm trying to setup IPFW to block all ports except those I specify. > For starters I'm just opening SSH. > > # ipfw list > 00050 divert 8668 ip4 from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00301 allow log tcp from any to any dst-port 22 > 00399 deny ip from any to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > Traffic is still blocked on port 22 -- I can't login via SSH. What am > I doing wrong, and what rule should I be using to allow SSH in and > through? TCP connections are always 2-way (i.e. they require both ingoing and outgoing packets). But your rules allow only one way. There are three possibilities: (1) Sdd a rule "allow log tcp from any to any src-port 22" (not very efficient, but works). (2) Add "setup" to the dst-port 22 rule and add a rule that allows established connections. (3) Use "keep-state". See the ipfw(8) manual page for details. You should also read a good book on TCP/IP and packet filter configuration. By the way, you probably should also allow name server traffic (port 53, UDP and TCP) and ICMP packets. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless