From owner-freebsd-security@FreeBSD.ORG  Tue Sep 30 08:12:42 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 23B2016A4B3; Tue, 30 Sep 2003 08:12:42 -0700 (PDT)
Received: from ike.othius.com (24-90-215-123.nyc.rr.com [24.90.215.123])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 03E1F43FE3; Tue, 30 Sep 2003 08:12:41 -0700 (PDT)
	(envelope-from justin@othius.com)
Received: from localhost (justin@localhost [127.0.0.1])
	by ike.othius.com (8.12.8p2/8.12.8) with ESMTP id h8UF9kQq050760;
	Tue, 30 Sep 2003 11:09:46 -0400 (EDT)
	(envelope-from justin@othius.com)
Date: Tue, 30 Sep 2003 11:09:39 -0400 (EDT)
From: Justin <justin@othius.com>
To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no>
In-Reply-To: <xzpzngm9vin.fsf@dwp.des.no>
Message-ID: <20030930110647.P45405@ike.othius.com>
References: <20030930112325.48361.qmail@web41204.mail.yahoo.com>
 <xzpzngm9vin.fsf@dwp.des.no>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
X-Scanned-By: MIMEDefang 2.37
cc: freebsd-security@freebsd.org
cc: echelon <e_chelon@yahoo.com>
cc: freebsd-stable@freebsd.org
cc: Darren Reed <avalon@caligula.anu.edu.au>
Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2003 15:12:42 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, 30 Sep 2003, Dag-Erling [iso-8859-1] Sm=F8rgrav wrote:
> echelon <e_chelon@yahoo.com> writes:
> > However, I use the following rules for the internal network interface (=
xl1)
> >
> > # Group 9000 (internal network interface)
> > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/=
32 port =3D 23 group 9000
> > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/=
32 port =3D 21 group 9000
> > pass in quick on xl1 all group 9000
> >
> > With these rules, I believe I should able to ping and SSH the
> > freebsd box from my internal network no matter the option
> > IPFILTER_DEFAULT_BLOCK is set or not.
>
> You're only letting traffic *in*.  You're not letting anything *out*.
> TCP, like love, is a two-way street.

And if you want to keep it that way from a connection, rather than packet,
point of view, use the "keep state" option on your pass in rule.

- -Justin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/eZy5dYQBw9Ox1VgRAkU/AJwNwMUIP5A+H/+T0+jkh1y1CSncjQCgrrn9
n6nmL3eMWM7NgW2pp6DhkCs=3D
=3DLOX9
-----END PGP SIGNATURE-----