From owner-freebsd-security@FreeBSD.ORG  Mon Apr 17 21:45:20 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BB64116A402
	for <freebsd-security@freebsd.org>;
	Mon, 17 Apr 2006 21:45:20 +0000 (UTC)
	(envelope-from noah@allresearch.com)
Received: from allresearch.com (allresearch.com [38.144.36.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7F2AC43D45
	for <freebsd-security@freebsd.org>;
	Mon, 17 Apr 2006 21:45:20 +0000 (GMT)
	(envelope-from noah@allresearch.com)
Received: by allresearch.com (Postfix, from userid 99)
	id 2328811AC62; Mon, 17 Apr 2006 14:23:01 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on allresearch.com
X-Spam-Level: 
X-Spam-Status: No, score=-102.4 required=5.0 tests=AWL, BAYES_00,
	USER_IN_WHITELIST autolearn=ham version=3.1.0
Received: from [10.0.0.140] (unknown [70.89.253.38])
	by allresearch.com (Postfix) with ESMTP id 6E16111AC30
	for <freebsd-security@freebsd.org>;
	Mon, 17 Apr 2006 14:23:00 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v749.3)
Content-Transfer-Encoding: 7bit
Message-Id: <9C1A3A84-BB1E-41E8-8BB4-5BEAEA54B499@allresearch.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: freebsd-security@freebsd.org
From: Noah Silverman <noah@allresearch.com>
Date: Mon, 17 Apr 2006 14:22:59 -0700
X-Mailer: Apple Mail (2.749.3)
Subject: IPFW Problems
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2006 21:45:20 -0000

Hi,

I have a system with a 4.11 Kernel.  Unless I'm doing something very  
wrong, there seems to be something odd with ipfw.

Take the following rules:

ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- 
state
ipfw add 00299 deny log all from any to any out via bge0
ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit  
src-addr 2
ipfw add 00499 deny log all from any to any in via bge0

In theory, this should allow in SSH and nothing else.

When I install this firewall configuration, I'm locked out of the  
box.  An inspection of the logs shows that rule 499 is being  
triggered by an attempted incoming connection.

Can anybody help?

Also, would it be better to upgrade to ipfw2??  If so, how do I do that?

Thanks,

-N