Date: Fri, 22 Jun 2001 15:52:02 -0400 (EDT) From: "Michael Richards" <michael@fastmail.ca> To: rsimmons@wlcg.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_QIKCM80S4VAOO49D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit > Are you keeping state on the connection? Yes, this was the problem with the ssh, but I'm concerned about the rules to solve the problem I came up with. Here are the rules: pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep state pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 block in log quick on xl1 proto tcp from any to 216.1.2.3/28 As you can see this machine is only allowed to accept connections on ssh, http and https. Everything else from the outside should be logged and discarded. The trouble here is that I don't need to keep state on anything but outgoing connections. For example, if I want to wget or ftp a file in or anything like that. I don't want to keep state on the web connections as it will probably unnecessarily load the firewall and not accomplish anything since those connections are permitted. Have I done this correctly or botched it? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_QIKCM80S4VAOO49D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B33A1E2.0001E7.78308>