From owner-freebsd-questions@FreeBSD.ORG  Thu Apr  6 02:50:40 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 885D916A423
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Apr 2006 02:50:40 +0000 (UTC)
	(envelope-from dennisolvany@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.229])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1346643D45
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Apr 2006 02:50:39 +0000 (GMT)
	(envelope-from dennisolvany@gmail.com)
Received: by wproxy.gmail.com with SMTP id i31so45089wra
	for <freebsd-questions@freebsd.org>;
	Wed, 05 Apr 2006 19:50:39 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=b2qxIyZ959WMOKB0VMQddEE1L3CWGUmGNab3lNhNZil2tirdlQZWVvkK87Mi4dKQBErroIQVe2A5ePOzKex/zK3Wq2tBS+OrkXfyaV9zD/yyYYnSgOSJ82S6s74eVOUVt7M6GV0xujHmo/s/uZmI6N0voq6+/iZace/irSneBpY=
Received: by 10.54.84.17 with SMTP id h17mr455444wrb;
	Wed, 05 Apr 2006 19:50:39 -0700 (PDT)
Received: from ?195.16.87.34? ( [195.16.87.34])
	by mx.gmail.com with ESMTP id 40sm386470wrl.2006.04.05.19.50.37;
	Wed, 05 Apr 2006 19:50:39 -0700 (PDT)
Message-ID: <443481EB.8070106@gmail.com>
Date: Wed, 05 Apr 2006 21:50:19 -0500
From: Dennis Olvany <dennisolvany@gmail.com>
User-Agent: Thunderbird 1.5 (X11/20060211)
MIME-Version: 1.0
To: "Anthony M. Agelastos" <iqgrande@gmail.com>
References: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com>
In-Reply-To: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw and ssh
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2006 02:50:40 -0000

>         # Allow person SSH access
>         mip="xxx.xxx.xxx.xxx"
>         ${fwcmd} allow tcp from any to any 22 out setup keep-state

I see two reasons that egress sshd traffic will not match the above 
rule. The destination port is incorrect and a syn/ack will not match.

>         ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src-addr 2