From owner-freebsd-net@FreeBSD.ORG Mon May 18 12:45:22 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E7DD1065678 for ; Mon, 18 May 2009 12:45:22 +0000 (UTC) (envelope-from marius@nuenneri.ch) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id 563F98FC22 for ; Mon, 18 May 2009 12:45:22 +0000 (UTC) (envelope-from marius@nuenneri.ch) Received: by yx-out-2324.google.com with SMTP id 8so1967209yxb.13 for ; Mon, 18 May 2009 05:45:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.68.9 with SMTP id v9mr12477102ybk.201.1242648829352; Mon, 18 May 2009 05:13:49 -0700 (PDT) In-Reply-To: <1242648290.31782.9.camel@python.net.t-labs.tu-berlin.de> References: <1242648290.31782.9.camel@python.net.t-labs.tu-berlin.de> Date: Mon, 18 May 2009 14:13:49 +0200 Message-ID: From: =?ISO-8859-1?Q?Marius_N=FCnnerich?= To: Sebastian Mellmann Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ipfw firewall_type 'OPEN' X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 12:45:23 -0000 On Mon, May 18, 2009 at 14:04, Sebastian Mellmann wrote: > Hi everyone! > > I've set the following parameters in rc.conf: > > gateway_enable="YES" > firewall_enable="YES" > firewall_type="OPEN" > firewall_logging="YES" > > When I took a look at the ruleset I see: > > 00010 allow ip from any to any via lo0 > 65000 allow ip from any to any > 65535 deny ip from any to any > > > The problem is, if I execute my own ipfw script and flush the rules via > 'ipfw -q -f flush' > and > 'ipfw -q -f pipe flush' > I'm loosing my ssh connection to that machine. > Is there any chance to remove the rule 65535 or change it to allow > instead of deny? > > I've got another FreeBSD machine here (7.0) where the default setting is > '65535 allow ip from any to any', when using firwall_type OPEN. > Both rc.conf files are the same! > There is a kernel option to do, see ipfw(4).