Date: Mon, 20 Sep 2004 21:00:00 +0900 From: horio shoichi <bugsgrief@bugsgrief.net> To: freebsd-questions@freebsd.org Subject: Re: IP Firewall blocks cvsup Message-ID: <20040920.120000.d334ad42d3193591.10.0.3.20@bugsgrief.net> In-Reply-To: <414D8D78.6090807@comcast.net> References: <414D8D78.6090807@comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 19 Sep 2004 06:45:28 -0700 Rob <europax@comcast.net> wrote: > Seems to work with everything else incl. ftp. What am I doing wrong? > Thanks, Rob. > > > > block in log all > pass out all > > pass out on lo all > pass in on lo all > > pass out quick on bfe0 proto tcp/udp from any to any port > 1024 For quick answer, replace above line with: pass out quick on bfe0 proto tcp/udp from any to any port > 1024 keep state > > pass in quick on bfe0 proto icmp all icmp-type 0 > pass in quick on bfe0 proto icmp all icmp-type 3 > pass in quick on bfe0 proto icmp all icmp-type 11 > > block in on bfe0 proto tcp all flags S/SA > block out on bfe0 proto tcp all flags SA/SA > > pass in quick on bfe0 proto tcp from any to any port = 22 flags S/SA keep state > pass in quick on bfe0 proto tcp from any to any port = 25 flags S/SA keep state > > > pass out on bfe0 proto tcp all keep state I don't think this line makes tcp connections below stateful. You must write down "keep state" phrase on every tcp (and udp, icmp) line you write. > > block return-rst in on bfe0 proto tcp from any to any port = 113 > > pass in on bfe0 proto tcp/udp from any port = 53 to any > pass in on bfe0 proto tcp/udp from any port = 67 to any > pass out on bfe0 proto tcp/udp from any port = 68 to any > pass in on bfe0 proto tcp from any port = 80 to any Or, add the following line here: pass in on bfe0 proto tcp from any port = 5999 to any > horio shoichi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040920.120000.d334ad42d3193591.10.0.3.20>