Date: Wed, 19 Apr 2006 17:28:20 -0700 From: Drew Tomlinson <drew@mykitchentable.net> To: Noah Silverman <noah@allresearch.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Problems Message-ID: <4446D5A4.8030502@mykitchentable.net> In-Reply-To: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/17/2006 2:29 PM Noah Silverman wrote: > Hi, > > I have a system with a 4.11 Kernel. Unless I'm doing something very > wrong, there seems to be something odd with ipfw. > > Take the following rules: I assume above this you have "ipfw add check-state" defined? This is the rule that's required to get ipfw to check its dynamic rule set. Without it, "keep-state" rules will never work. > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > src-addr 2 I think this line is your problem. "setup" matches the initial packet with the syn flag set. However since you have not added "keep-state", no rule gets added to the dynamic rule set for this connection. Subsequent packets don't match because "syn" is not set. Thus they hit rule 499 and are denied. > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being triggered > by an attempted incoming connection. > > Can anybody help? > > Also, would it be better to upgrade to ipfw2?? If so, how do I do that. Add 'ipfw2=TRUE' to /etc/make.conf. Then the next time you build world and kernel, you'll have ipfw2. There's probably a way to just recompile the ipfw part but I've always just done the whole thing. HTH, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, & More! http://www.alchemistswarehouse.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4446D5A4.8030502>