From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 18 00:12:20 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C4CDB16A400
	for <freebsd-questions@freebsd.org>;
	Tue, 18 Apr 2006 00:12:20 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.248])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 73FD643D68
	for <freebsd-questions@freebsd.org>;
	Tue, 18 Apr 2006 00:12:15 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from [192.168.2.101] (unknown [66.142.189.6])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.stovebolt.com (Postfix) with ESMTP id E2DCD114307
	for <freebsd-questions@freebsd.org>;
	Mon, 17 Apr 2006 19:05:44 -0500 (CDT)
Date: Mon, 17 Apr 2006 19:10:59 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: freebsd-questions@freebsd.org
Message-ID: <FB0C884BDA576B06FDF3EB1D@Paul-Schmehls-Computer.local>
In-Reply-To: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com>
References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com>
X-Mailer: Mulberry/4.0.0 (Mac OS X)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=sha1;
	protocol="application/pkcs7-signature";
	boundary="==========89CD255249F49491FE24=========="
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: IPFW Problems
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Paul Schmehl <pauls@utdallas.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2006 00:12:20 -0000

--==========89CD255249F49491FE24==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On April 17, 2006 2:29:23 PM -0700 Noah Silverman <noah@allresearch.com>=20
wrote:
>
> I have a system with a 4.11 Kernel.  Unless I'm doing something very
> wrong, there seems to be something odd with ipfw.
>
> Take the following rules:
>
> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- =
state
> ipfw add 00299 deny log all from any to any out via bge0
> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
> src-addr 2
> ipfw add 00499 deny log all from any to any in via bge0
>
> In theory, this should allow in SSH and nothing else.
>
> When I install this firewall configuration, I'm locked out of the  box.
> An inspection of the logs shows that rule 499 is being  triggered by an
> attempted incoming connection.
>
What does "ipfw show" reveal regarding connection stats?

If you're at the console, can you ssh out to some other box?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
--==========89CD255249F49491FE24==========--