Date: Thu, 20 Dec 2007 12:50:16 -0500 (EST) From: "Matt Piechota" <piechota@argolis.org> To: "W. D." <WD@US-Webmasters.com> Cc: freebsd-security@freebsd.org, Tuomo Latto <djv@iki.fi> Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <18704.192.35.35.35.1198173016.squirrel@webmail.argolis.org> In-Reply-To: <20071220063926.4B2D113C457@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> <20071220063926.4B2D113C457@mx1.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, December 20, 2007 1:39 am, W. D. wrote: I'm no expert on firewalls, so take this with a grain of salt. >>> # Loopback: >>> # Allow anything on the local loopback: >>> add allow all from any to any via lo0 >>> add deny ip from any to 127.0.0.0/8 >>> add deny ip from 127.0.0.0/8 to any >>Nope. >>> # Allow established connections: >>> add allow tcp from any to any established >>Nope. >>> # Deny fragmented packets: >>> add deny ip from any to any frag Perhaps this is the issue? I would think that if an IP fragment comes in, it's specifically *not* an established TCP connection (yet), so it would be blocked by this rule. No IP fragments means they don't have a chance to be reassembled into an actual packet. All the profiles in rc.firewall specifically allow ip frags, so I'd think they're required. > Could anyone please throw this tired dog a bone? Fetch! :) -- Matt Piechota
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18704.192.35.35.35.1198173016.squirrel>