Date: Mon, 19 Jan 2004 00:53:38 +0100 From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net> To: "Andrew L. Gould" <algould@datawok.com> Cc: FreeBSD-questions@FreeBSD.org Subject: Re: ipfw rules for letting ssh requests in Message-ID: <200401190053.38351.Danovitsch@Vitsch.net> In-Reply-To: <200401181747.04419.algould@datawok.com> References: <200401181747.04419.algould@datawok.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 19 January 2004 00:47, Andrew L. Gould wrote:
> I can't seem to get the ipfw rules right for letting ssh clients access=
a
> ssh server. I can use ssh on the server to connect to the client; but =
if I
> try to connect from the client to the server, the operation times out.
>
> I have my rules in /etc/ipfw.rules. Executing 'ipfw show' displays all=
of
> the rules as expected. It also shows packets having been allowed at ru=
le
> 300 after an attempt to connect has been made.
>
> I have copied the top portion of /etc/ipfw.rules:
>
> #!/bin/sh
>
> # Andrew L. Gould's firewall rules.
>
> fwcmd=3D"/sbin/ipfw -q"
> ${fwcmd} -f flush
>
>
> # Basic rules that should not be changed
> ${fwcmd} add 00100 pass all from any to any via lo0
> ${fwcmd} add 00110 deny all from any to 127.0.0.0/8
> ${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
>
>
> # Allow specified service requests in
> # ssh
> ${fwcmd} add 00300 allow tcp from any to me 22
> ${fwcmd} add 00301 allow udp from any to me 22
>
> Does anyone have any idea why the operation is timing out or what I hav=
e
> done wrong?
You forgot the packets in the other direction... This should do the trick=
:
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow tcp from me 22 to any
grtz,
Daan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401190053.38351.Danovitsch>