From owner-freebsd-net@FreeBSD.ORG  Mon May 18 12:04:52 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B96BB10656BB
	for <freebsd-net@freebsd.org>; Mon, 18 May 2009 12:04:52 +0000 (UTC)
	(envelope-from sebastian.mellmann@net.t-labs.tu-berlin.de)
Received: from mail.net.t-labs.tu-berlin.de (mail.net.t-labs.tu-berlin.de
	[130.149.220.252])
	by mx1.freebsd.org (Postfix) with ESMTP id 74A288FC13
	for <freebsd-net@freebsd.org>; Mon, 18 May 2009 12:04:52 +0000 (UTC)
	(envelope-from sebastian.mellmann@net.t-labs.tu-berlin.de)
Received: from [130.149.220.166] (python.net.t-labs.tu-berlin.de
	[130.149.220.166])
	by mail.net.t-labs.tu-berlin.de (Postfix) with ESMTP id 6CB93702501A
	for <freebsd-net@freebsd.org>; Mon, 18 May 2009 14:04:51 +0200 (CEST)
From: Sebastian Mellmann <sebastian.mellmann@net.t-labs.tu-berlin.de>
To: freebsd-net@freebsd.org
Content-Type: text/plain
Date: Mon, 18 May 2009 14:04:50 +0200
Message-Id: <1242648290.31782.9.camel@python.net.t-labs.tu-berlin.de>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1 
Content-Transfer-Encoding: 7bit
Subject: ipfw firewall_type 'OPEN'
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2009 12:04:57 -0000

Hi everyone!

I've set the following parameters in rc.conf:

gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_logging="YES"

When I took a look at the ruleset I see:

00010 allow ip from any to any via lo0
65000 allow ip from any to any
65535 deny ip from any to any


The problem is, if I execute my own ipfw script and flush the rules via
'ipfw -q -f flush'
and
'ipfw -q -f pipe flush'
I'm loosing my ssh connection to that machine.
Is there any chance to remove the rule 65535 or change it to allow
instead of deny?

I've got another FreeBSD machine here (7.0) where the default setting is
'65535 allow ip from any to any', when using firwall_type OPEN.
Both rc.conf files are the same!


Regards,
Sebastian