From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 18 00:20:24 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DB72016A402
	for <freebsd-questions@freebsd.org>;
	Tue, 18 Apr 2006 00:20:24 +0000 (UTC)
	(envelope-from noah@allresearch.com)
Received: from allresearch.com (www.hollywoodexports.com [38.144.36.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 78ADA43D49
	for <freebsd-questions@freebsd.org>;
	Tue, 18 Apr 2006 00:20:24 +0000 (GMT)
	(envelope-from noah@allresearch.com)
Received: by allresearch.com (Postfix, from userid 99)
	id 0F73811ACDB; Mon, 17 Apr 2006 17:20:23 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on allresearch.com
X-Spam-Level: 
X-Spam-Status: No, score=-102.4 required=5.0 tests=AWL, BAYES_00,
	USER_IN_WHITELIST autolearn=ham version=3.1.0
Received: from [10.0.0.140] (unknown [70.88.177.202])
	by allresearch.com (Postfix) with ESMTP id BD18911AC89;
	Mon, 17 Apr 2006 17:20:22 -0700 (PDT)
In-Reply-To: <FB0C884BDA576B06FDF3EB1D@Paul-Schmehls-Computer.local>
References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com>
	<FB0C884BDA576B06FDF3EB1D@Paul-Schmehls-Computer.local>
Mime-Version: 1.0 (Apple Message framework v749.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <C83C3E00-DD4E-4028-9CB7-C9A195D2EF75@allresearch.com>
Content-Transfer-Encoding: 7bit
From: Noah Silverman <noah@allresearch.com>
Date: Mon, 17 Apr 2006 17:20:27 -0700
To: Paul Schmehl <pauls@utdallas.edu>
X-Mailer: Apple Mail (2.749.3)
Cc: freebsd-questions@freebsd.org
Subject: Re: IPFW Problems
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2006 00:20:25 -0000

Hi,

I doing this over an SSH connection, so I can't see console.

If I do it wrong, I get locked out and have to initiate a remote  
reboot.  Fun!

Thanks!

-N


On Apr 17, 2006, at 5:10 PM, Paul Schmehl wrote:

> --On April 17, 2006 2:29:23 PM -0700 Noah Silverman  
> <noah@allresearch.com> wrote:
>>
>> I have a system with a 4.11 Kernel.  Unless I'm doing something very
>> wrong, there seems to be something odd with ipfw.
>>
>> Take the following rules:
>>
>> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup  
>> keep- state
>> ipfw add 00299 deny log all from any to any out via bge0
>> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
>> src-addr 2
>> ipfw add 00499 deny log all from any to any in via bge0
>>
>> In theory, this should allow in SSH and nothing else.
>>
>> When I install this firewall configuration, I'm locked out of the   
>> box.
>> An inspection of the logs shows that rule 499 is being  triggered  
>> by an
>> attempted incoming connection.
>>
> What does "ipfw show" reveal regarding connection stats?
>
> If you're at the console, can you ssh out to some other box?
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/