From owner-freebsd-security@FreeBSD.ORG Tue Apr 18 00:45:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AACCB16A402 for ; Tue, 18 Apr 2006 00:45:29 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30314.mail.mud.yahoo.com (web30314.mail.mud.yahoo.com [68.142.201.232]) by mx1.FreeBSD.org (Postfix) with SMTP id 34B2743D45 for ; Tue, 18 Apr 2006 00:45:29 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 84185 invoked by uid 60001); 18 Apr 2006 00:45:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=4THCoFPr9hit8uZl96aaEveH+e+LMb337St+3CGhY0cBuNRKUTl8U/9tST1Namix85XwAE/GOtGEOOo5K5ASGMz8GbJ2cXDDhRflirw+/5zCfBQ55Ezuixnb8jiELTk7RBqrSg8c4eNjEvYlFza9kXitA1lUVpMR01AqHnUJobE= ; Message-ID: <20060418004528.84183.qmail@web30314.mail.mud.yahoo.com> Received: from [213.54.73.231] by web30314.mail.mud.yahoo.com via HTTP; Mon, 17 Apr 2006 17:45:28 PDT Date: Mon, 17 Apr 2006 17:45:28 -0700 (PDT) From: "R. B. Riddick" To: Noah Silverman , freebsd-security@freebsd.org In-Reply-To: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 00:45:29 -0000 --- Noah Silverman wrote: > Take the following rules: > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > I think rule 430 needs a keep-state, because u do not have a rule, that allows out-going ssh packets for established tcp connections. In addition to the before-mentioned "check-state" in the beginning u would need a "keep-state" in rule 430... > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection. > Hmm... That's strange... What about rule 299? There should be something about rule 299 in the logs... Maybe I am wrong... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com