From owner-freebsd-questions@FreeBSD.ORG Mon Apr 17 23:42:44 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 703BA16A407 for ; Mon, 17 Apr 2006 23:42:44 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id B110843D46 for ; Mon, 17 Apr 2006 23:42:43 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 103BD5E87; Mon, 17 Apr 2006 19:42:43 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMZSI5g2P2Qb; Mon, 17 Apr 2006 19:42:42 -0400 (EDT) Received: from [192.168.1.3] (pool-68-160-235-217.ny325.east.verizon.net [68.160.235.217]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 02E5A5C95; Mon, 17 Apr 2006 19:42:41 -0400 (EDT) Message-ID: <444427F4.2070405@mac.com> Date: Mon, 17 Apr 2006 19:42:44 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: David Wolfskill References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> <20060417224415.GY32062@bunrab.catwhisker.org> In-Reply-To: <20060417224415.GY32062@bunrab.catwhisker.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freeBSD List Subject: Re: IPFW Problems? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2006 23:42:44 -0000 David Wolfskill wrote: > On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: >> [ ...redirected to freebsd-questions... ] > > Thanks for doing that! It seemed appropriate. :) [ ... ] >> You don't have a check-state rule anywhere, so you either need to add >> one or a rule to pass established traffic to and from port 22. > > I thought check-state was fairly optional; ref: > > These dynamic rules, which have a limited lifetime, are checked at the > first occurrence of a check-state, keep-state or limit rule, and are typ- > ically used to open the firewall on-demand to legitimate traffic only. > See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa- > tion on the stateful behaviour of ipfw. > > (from "man ipfw" on a 4.11 system). Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" isn't going to match inbound established traffic, right? So the dynamic rule checking doesn't actually fire, so the "add 00499 deny log all from any to any" rule fires and blocks it. Doing a "ipfw add 10 check-state" would probably make SSH go for the original poster... -- -Chuck