From owner-freebsd-net@FreeBSD.ORG  Mon May 18 13:15:17 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 22C3E1065672
	for <freebsd-net@freebsd.org>; Mon, 18 May 2009 13:15:17 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id CD54C8FC0A
	for <freebsd-net@freebsd.org>; Mon, 18 May 2009 13:15:16 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
	h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
	b=fSc0+kSRP0Nll4D6DDW94liOCuo38YxjV+Iw9N0EBu7Ixs+o4u2JlVGsQBnwnXL7/dfwFpZpv5/6nVPBVq6t1ixdPGFJrNdLGrMSs+E32fFeAwSkEddzp9K3MtTQReJEJMCbrspeUDEgRaVlPEir755uhorr1TEau5MI7iGU5fs=;
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1M62gV-000MCh-OZ; Mon, 18 May 2009 17:15:15 +0400
Date: Mon, 18 May 2009 17:15:13 +0400
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Sebastian Mellmann <sebastian.mellmann@net.t-labs.tu-berlin.de>
Message-ID: <P0PYXMVI6cdF9pdhQebsVbVmAjI@cgr/Aoyjz11KtFDB23HMnFSn04s>
References: <1242648290.31782.9.camel@python.net.t-labs.tu-berlin.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1242648290.31782.9.camel@python.net.t-labs.tu-berlin.de>
Sender: rea-fbsd@codelabs.ru
Cc: freebsd-net@freebsd.org
Subject: Re: ipfw firewall_type 'OPEN'
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: rea-fbsd@codelabs.ru
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2009 13:15:17 -0000

Sebastian,

Mon, May 18, 2009 at 02:04:50PM +0200, Sebastian Mellmann wrote:
> 00010 allow ip from any to any via lo0
> 65000 allow ip from any to any
> 65535 deny ip from any to any
> 
> 
> The problem is, if I execute my own ipfw script and flush the rules via
> 'ipfw -q -f flush'
> and
> 'ipfw -q -f pipe flush'
> I'm loosing my ssh connection to that machine.
> Is there any chance to remove the rule 65535 or change it to allow
> instead of deny?

Yes, insert
-----
options		IPFIREWALL_DEFAULT_TO_ACCEPT
-----
to your kernel configuration, rebuild, install and use new kernel.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #