From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 20 12:00:19 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B51AD16A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Sep 2004 12:00:19 +0000 (GMT)
Received: from dns11.mail.yahoo.co.jp (dns11.mail.yahoo.co.jp
	[210.81.151.144])
	by mx1.FreeBSD.org (Postfix) with SMTP id BAD0643D48
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Sep 2004 12:00:18 +0000 (GMT)
	(envelope-from ayakokiko@ybb.ne.jp)
Received: from unknown (HELO gorgon.near.this) (219.11.234.11 with poptime)
  by dns11.mail.yahoo.co.jp with SMTP; 20 Sep 2004 12:00:15 -0000
X-Apparently-From: <ayakokiko@ybb.ne.jp>
Received: from hydra.near.this (hydra.near.this [10.0.3.20])
	by gorgon.near.this (Postfix) with ESMTP id BE6497F24
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Sep 2004 21:00:01 +0900 (JST)
Received: by hydra.near.this (Postfix, from userid 100)
	id 32E56982E; Mon, 20 Sep 2004 21:00:01 +0900 (JST)
Date: Mon, 20 Sep 2004 21:00:00 +0900
From: horio shoichi <bugsgrief@bugsgrief.net>
To: freebsd-questions@freebsd.org
In-Reply-To: <414D8D78.6090807@comcast.net>
References: <414D8D78.6090807@comcast.net>
X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd4.9)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <20040920.120000.d334ad42d3193591.10.0.3.20@bugsgrief.net>
Subject: Re: IP Firewall blocks cvsup
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Sep 2004 12:00:19 -0000

On Sun, 19 Sep 2004 06:45:28 -0700
Rob <europax@comcast.net> wrote:
> Seems to work with everything else incl. ftp.  What am I doing wrong? 
> Thanks,   Rob.
> 
>
>
> block in log all
> pass out all
>
> pass out on lo all
> pass in on lo all
>
> pass out quick on bfe0 proto tcp/udp from any to any port > 1024

For quick answer, replace above line with:

pass out quick on bfe0 proto tcp/udp from any to any port > 1024 keep state
>
> pass in quick on bfe0 proto icmp all icmp-type 0
> pass in quick on bfe0 proto icmp all icmp-type 3
> pass in quick on bfe0 proto icmp all icmp-type 11
>
> block in on bfe0 proto tcp all flags S/SA
> block out on bfe0 proto tcp all flags SA/SA
>
> pass in quick on bfe0 proto tcp from any to any port = 22 flags S/SA keep state
> pass in quick on bfe0 proto tcp from any to any port = 25 flags S/SA keep state
>
>
> pass out on bfe0 proto tcp all keep state

I don't think this line makes tcp connections below stateful. You must write down
"keep state" phrase on every tcp (and udp, icmp) line you write.
>
> block return-rst in on bfe0 proto tcp from any to any port = 113
>
> pass in on bfe0 proto tcp/udp from any port = 53 to any
> pass in on bfe0 proto tcp/udp from any port = 67 to any 
> pass out on bfe0 proto tcp/udp from any port = 68 to any
> pass in on bfe0 proto tcp from any port = 80 to any

Or, add the following line here:

pass in on bfe0 proto tcp from any port = 5999 to any
>


horio shoichi