From owner-freebsd-security@FreeBSD.ORG  Tue Sep 30 07:54:47 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C63A916A4BF; Tue, 30 Sep 2003 07:54:47 -0700 (PDT)
Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id F04FD43F75; Tue, 30 Sep 2003 07:54:45 -0700 (PDT)
	(envelope-from des@des.no)
Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37])
	by mail.broadpark.no (Postfix) with ESMTP
	id 20EE578794; Tue, 30 Sep 2003 16:54:45 +0200 (MEST)
Received: by smtp.des.no (Pony Express, from userid 666)
	id 8CD1D9BABC; Tue, 30 Sep 2003 16:54:44 +0200 (CEST)
Received: from dwp.des.no (dwp.des.no [10.0.0.4])
	by smtp.des.no (Pony Express) with ESMTP
	id D9D0A9B525; Tue, 30 Sep 2003 16:54:40 +0200 (CEST)
Received: by dwp.des.no (Postfix, from userid 2602)
	id BD54EB84A; Tue, 30 Sep 2003 16:54:40 +0200 (CEST)
To: echelon <e_chelon@yahoo.com>
References: <20030930112325.48361.qmail@web41204.mail.yahoo.com>
From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=)
Date: Tue, 30 Sep 2003 16:54:40 +0200
In-Reply-To: <20030930112325.48361.qmail@web41204.mail.yahoo.com>
	(e_chelon@yahoo.com's
	message of "Tue, 30 Sep 2003 04:23:25 -0700 (PDT)")
Message-ID: <xzpzngm9vin.fsf@dwp.des.no>
User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, hits=-3.0 required=8.0
	tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,
	      REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA
	version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
cc: freebsd-security@freebsd.org
cc: freebsd-stable@freebsd.org
cc: Darren Reed <avalon@caligula.anu.edu.au>
Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2003 14:54:47 -0000

echelon <e_chelon@yahoo.com> writes:
> However, I use the following rules for the internal network interface (xl=
1)
>
> # Group 9000 (internal network interface)=20
> block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32=
 port =3D 23 group 9000
> block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32=
 port =3D 21 group 9000
> pass in quick on xl1 all group 9000
>
> With these rules, I believe I should able to ping and SSH the
> freebsd box from my internal network no matter the option
> IPFILTER_DEFAULT_BLOCK is set or not.

You're only letting traffic *in*.  You're not letting anything *out*.
TCP, like love, is a two-way street.

DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no