Date: Thu, 6 Apr 2006 18:06:43 +0100 From: RW <list-freebsd-2004@morbius.sent.com> To: freebsd-questions@freebsd.org Subject: Re: ipfw and ssh Message-ID: <200604061806.45538.list-freebsd-2004@morbius.sent.com> In-Reply-To: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com> References: <7DF2083F-A039-495E-8FAC-E6C9D8AA6391@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 06 April 2006 02:50, Anthony M. Agelastos wrote:
> Hello everyone,
>
> Allow me to preface my problem by saying that I am very ignorant when
> it comes to networking. I do apologize if this is trivial. In any
> event, I enabled the "client" ifpw firewall located in /etc/
> rc.firewall. This appears to work well for my needs... except for one
> additional item. I need someone outside of my network to have SSH
> access to my machine. I know his/her IP address. So, I have added
> some additional items to rc.firewall for this. Here is what I added.
>
> # Allow person SSH access
> mip="xxx.xxx.xxx.xxx"
> ${fwcmd} allow tcp from any to any 22 out setup keep-state
> ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src-
> addr 2
The client script is setup to handle tcp by static rules. If you want to mix
static and dynamic tcp rules (ie limits) you will need to add a check-state
line before the comment: "Allow TCP through if setup succeeded" otherwise
your dynamic rules will never see any established traffic and will timeout.
Also there is a static rule already to allow all outgoing tcp connections,
so you don't need a stateful one for port 22.
However, none of the above should prevent an ssh login.
If I were you I'd start with just:
${fwcmd} add pass tcp from any to any ssh setup
and work from there. You need to be methodical when troubleshooting firewalls.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604061806.45538.list-freebsd-2004>