Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Jun 2001 15:52:02 -0400 (EDT)
From:      "Michael Richards" <michael@fastmail.ca>
To:        rsimmons@wlcg.com
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Letting scp through a firewall using ipfilter
Message-ID:  <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>

next in thread | raw e-mail | index | archive | help

--------------Boundary-00=_QIKCM80S4VAOO49D7TH0
Content-Type: Text/Plain
Content-Transfer-Encoding: 7bit

> Are you keeping state on the connection?

Yes, this was the problem with the ssh, but I'm concerned about the 
rules to solve the problem I came up with. Here are the rules:

pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep 
state                 
pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22
pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80
pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443
block in log quick on xl1 proto tcp from any to 216.1.2.3/28

As you can see this machine is only allowed to accept connections on 
ssh, http and https. Everything else from the outside should be 
logged and discarded.

The trouble here is that I don't need to keep state on anything but 
outgoing connections. For example, if I want to wget or ftp a file in 
or anything like that. I don't want to keep state on the web 
connections as it will probably unnecessarily load the firewall and 
not accomplish anything since those connections are permitted.

Have I done this correctly or botched it?

-Michael
_________________________________________________________________
     http://fastmail.ca/ - Fast Free Web Email for Canadians
--------------Boundary-00=_QIKCM80S4VAOO49D7TH0--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B33A1E2.0001E7.78308>