From owner-freebsd-questions@FreeBSD.ORG Tue Apr 18 00:09:14 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A72C316A400 for ; Tue, 18 Apr 2006 00:09:14 +0000 (UTC) (envelope-from noah@allresearch.com) Received: from allresearch.com (mail.allresearch.com [38.144.36.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55F3243D45 for ; Tue, 18 Apr 2006 00:09:14 +0000 (GMT) (envelope-from noah@allresearch.com) Received: by allresearch.com (Postfix, from userid 99) id BD6B011ACEF; Mon, 17 Apr 2006 17:09:13 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on allresearch.com X-Spam-Level: X-Spam-Status: No, score=-102.4 required=5.0 tests=AWL, BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.1.0 Received: from [10.0.0.140] (unknown [70.88.177.202]) by allresearch.com (Postfix) with ESMTP id E04ED11ACE6; Mon, 17 Apr 2006 17:09:12 -0700 (PDT) In-Reply-To: <444427F4.2070405@mac.com> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> <20060417224415.GY32062@bunrab.catwhisker.org> <444427F4.2070405@mac.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Noah Silverman Date: Mon, 17 Apr 2006 17:09:17 -0700 To: Chuck Swiger X-Mailer: Apple Mail (2.749.3) Cc: freeBSD List , David Wolfskill Subject: Re: IPFW Problems? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 00:09:14 -0000 I tried it with: "ipfw add 00015 check-state" I still get locked out :( This is the "standard" firewall from the openbsd manual (on the website.) I don't understand why it wouldn't work "as is". Thanks, -N On Apr 17, 2006, at 4:42 PM, Chuck Swiger wrote: > David Wolfskill wrote: >> On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: >>> [ ...redirected to freebsd-questions... ] >> Thanks for doing that! > > It seemed appropriate. :) > > [ ... ] >>> You don't have a check-state rule anywhere, so you either need to >>> add one or a rule to pass established traffic to and from port 22. >> I thought check-state was fairly optional; ref: >> These dynamic rules, which have a limited lifetime, are >> checked at the >> first occurrence of a check-state, keep-state or limit rule, >> and are typ- >> ically used to open the firewall on-demand to legitimate >> traffic only. >> See the STATEFUL FIREWALL and EXAMPLES Sections below for >> more informa- >> tion on the stateful behaviour of ipfw. >> (from "man ipfw" on a 4.11 system). > > Yeah...but a rule like "from any to any 22 out via bge0 setup keep- > state" isn't going to match inbound established traffic, right? > > So the dynamic rule checking doesn't actually fire, so the "add > 00499 deny log all from any to any" rule fires and blocks it. > Doing a "ipfw add 10 check-state" would probably make SSH go for > the original poster... > > -- > -Chuck > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >