Date: Fri, 22 Jun 2001 15:52:02 -0400 (EDT) From: "Michael Richards" <michael@fastmail.ca> To: rsimmons@wlcg.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_QIKCM80S4VAOO49D7TH0
Content-Type: Text/Plain
Content-Transfer-Encoding: 7bit
> Are you keeping state on the connection?
Yes, this was the problem with the ssh, but I'm concerned about the
rules to solve the problem I came up with. Here are the rules:
pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep
state
pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22
pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80
pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443
block in log quick on xl1 proto tcp from any to 216.1.2.3/28
As you can see this machine is only allowed to accept connections on
ssh, http and https. Everything else from the outside should be
logged and discarded.
The trouble here is that I don't need to keep state on anything but
outgoing connections. For example, if I want to wget or ftp a file in
or anything like that. I don't want to keep state on the web
connections as it will probably unnecessarily load the firewall and
not accomplish anything since those connections are permitted.
Have I done this correctly or botched it?
-Michael
_________________________________________________________________
http://fastmail.ca/ - Fast Free Web Email for Canadians
--------------Boundary-00=_QIKCM80S4VAOO49D7TH0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B33A1E2.0001E7.78308>