Date: Wed, 17 Jul 2002 13:03:00 +1000 From: Mark.Andrews@isc.org To: Michael Sharp <freebsd@ec.rr.com> Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic Rules with IPFW Message-ID: <200207170303.g6H330Je077763@drugs.dv.isc.org> In-Reply-To: Your message of "Tue, 16 Jul 2002 21:42:48 -0400." <20020716214248.3fef4af2.freebsd@ec.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I use Dynamic rulesets with IPFW: > > ipfw add check-state > ipfw add deny tcp from any to any established > ipfw add allow tcp from my-net to any setup keep-state > > But I also have services I need anyone on the net to get to, without me makin > g a connection first from " my-net ". I allow such services with: > > allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state > > This works fine for 25,80, and 443. However, when I apply the same rule for S > SH, and login to my box remotely, about 10 minutes later, the connection just > dies, and it dies with every connection. Removing the keep-state option for > ssh effectively closes 22 obviously. Would check-state be a better option he > re? > > Michael > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message smtp, http and https are short lived connections with very little idle time. ssh is a long lived connection with large amounts of idle time. You need to have the dynamic lifetime exceed the keep alive timer or allow established ssh connections to continue to exist. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207170303.g6H330Je077763>