Date: Mon, 17 Apr 2006 17:20:27 -0700 From: Noah Silverman <noah@allresearch.com> To: Paul Schmehl <pauls@utdallas.edu> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Problems Message-ID: <C83C3E00-DD4E-4028-9CB7-C9A195D2EF75@allresearch.com> In-Reply-To: <FB0C884BDA576B06FDF3EB1D@Paul-Schmehls-Computer.local> References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> <FB0C884BDA576B06FDF3EB1D@Paul-Schmehls-Computer.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I doing this over an SSH connection, so I can't see console. If I do it wrong, I get locked out and have to initiate a remote reboot. Fun! Thanks! -N On Apr 17, 2006, at 5:10 PM, Paul Schmehl wrote: > --On April 17, 2006 2:29:23 PM -0700 Noah Silverman > <noah@allresearch.com> wrote: >> >> I have a system with a 4.11 Kernel. Unless I'm doing something very >> wrong, there seems to be something odd with ipfw. >> >> Take the following rules: >> >> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup >> keep- state >> ipfw add 00299 deny log all from any to any out via bge0 >> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit >> src-addr 2 >> ipfw add 00499 deny log all from any to any in via bge0 >> >> In theory, this should allow in SSH and nothing else. >> >> When I install this firewall configuration, I'm locked out of the >> box. >> An inspection of the logs shows that rule 499 is being triggered >> by an >> attempted incoming connection. >> > What does "ipfw show" reveal regarding connection stats? > > If you're at the console, can you ssh out to some other box? > > Paul Schmehl (pauls@utdallas.edu) > Adjunct Information Security Officer > University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C83C3E00-DD4E-4028-9CB7-C9A195D2EF75>