From owner-freebsd-security@FreeBSD.ORG Mon Apr 17 22:29:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC99F16A402 for ; Mon, 17 Apr 2006 22:29:15 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BF5443D45 for ; Mon, 17 Apr 2006 22:29:15 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id B8FC45D82; Mon, 17 Apr 2006 18:29:14 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r+4jsU+kx+pV; Mon, 17 Apr 2006 18:29:13 -0400 (EDT) Received: from [199.103.21.238] (pan.codefab.com [199.103.21.238]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id E998D5C3C; Mon, 17 Apr 2006 18:29:13 -0400 (EDT) In-Reply-To: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 17 Apr 2006 18:29:13 -0400 To: Noah Silverman X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freeBSD List List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2006 22:29:15 -0000 On Apr 17, 2006, at 5:29 PM, Noah Silverman wrote: [ ...redirected to freebsd-questions... ] > Take the following rules: > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup > limit src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection. You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22. > Can anybody help? > > Also, would it be better to upgrade to ipfw2?? If so, how do I do > that? Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). -- -Chuck