Date: Tue, 30 Sep 2003 11:09:39 -0400 (EDT) From: Justin <justin@othius.com> To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no> Cc: Darren Reed <avalon@caligula.anu.edu.au> Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host Message-ID: <20030930110647.P45405@ike.othius.com> In-Reply-To: <xzpzngm9vin.fsf@dwp.des.no> References: <20030930112325.48361.qmail@web41204.mail.yahoo.com> <xzpzngm9vin.fsf@dwp.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 30 Sep 2003, Dag-Erling [iso-8859-1] Sm=F8rgrav wrote: > echelon <e_chelon@yahoo.com> writes: > > However, I use the following rules for the internal network interface (= xl1) > > > > # Group 9000 (internal network interface) > > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/= 32 port =3D 23 group 9000 > > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/= 32 port =3D 21 group 9000 > > pass in quick on xl1 all group 9000 > > > > With these rules, I believe I should able to ping and SSH the > > freebsd box from my internal network no matter the option > > IPFILTER_DEFAULT_BLOCK is set or not. > > You're only letting traffic *in*. You're not letting anything *out*. > TCP, like love, is a two-way street. And if you want to keep it that way from a connection, rather than packet, point of view, use the "keep state" option on your pass in rule. - -Justin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/eZy5dYQBw9Ox1VgRAkU/AJwNwMUIP5A+H/+T0+jkh1y1CSncjQCgrrn9 n6nmL3eMWM7NgW2pp6DhkCs=3D =3DLOX9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030930110647.P45405>