Date: Wed, 17 Jul 2002 00:16:29 -0400 From: Scott Lambert <lambert@lambertfam.org> To: FreeBSD-STABLE@FreeBSD.org Subject: Re: Dynamic Rules with IPFW Message-ID: <20020717041629.GA48980@laptop.lambertfam.org> In-Reply-To: <200207170303.g6H330Je077763@drugs.dv.isc.org> References: <20020716214248.3fef4af2.freebsd@ec.rr.com> <200207170303.g6H330Je077763@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 17, 2002 at 01:03:00PM +1000, Mark.Andrews@isc.org wrote: > > > I use Dynamic rulesets with IPFW: > > > > ipfw add check-state > > ipfw add deny tcp from any to any established > > ipfw add allow tcp from my-net to any setup keep-state > > > > But I also have services I need anyone on the net to get to, without > > me making a connection first from "my-net ". I allow such services > > with: > > > > allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state > > > > This works fine for 25,80, and 443. However, when I apply the > > same rule for SSH, and login to my box remotely, about 10 > > minutes later, the connection just dies, and it dies with every > > connection. Removing the keep-state option for ssh effectively > > closes 22 obviously. Would check-state be a better option here? > > > > Michael > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > smtp, http and https are short lived connections with very > little idle time. > > ssh is a long lived connection with large amounts of idle > time. You need to have the dynamic lifetime exceed the > keep alive timer or allow established ssh connections to > continue to exist. Or turn KeepAlive and/or ClientAlive* on in your sshd_config maybe? You need to keep some kind of traffic flowing across the connection or the elevator door will close. man sshd_config -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020717041629.GA48980>