From owner-freebsd-questions@FreeBSD.ORG  Wed Oct  1 22:04:00 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1FE799CB
 for <freebsd-questions@freebsd.org>; Wed,  1 Oct 2014 22:04:00 +0000 (UTC)
Received: from mail-ob0-f173.google.com (mail-ob0-f173.google.com
 [209.85.214.173])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E17EB1D9
 for <freebsd-questions@freebsd.org>; Wed,  1 Oct 2014 22:03:59 +0000 (UTC)
Received: by mail-ob0-f173.google.com with SMTP id wp4so1149558obc.18
 for <freebsd-questions@freebsd.org>; Wed, 01 Oct 2014 15:03:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=PENtL7XOlkITYwqlBxe4vpOZ7qNOFPT0bsE5Kv9m8CM=;
 b=emOUrVPdx4bdWMU6tTJXYzvPUxLKCkDXYukaRV7BmxtMBRTz1uO3UkQqAtHG0VGvzo
 IMUWJ7q8P2s468Jy6quemIb4EcDsVLRAlnL9S408b/DXH4P4vYr0rF3kFD76gKFQP9/1
 GgPgnZuz5I5UdAUFZRmJ52mNJg1KBJtX5sQtvM7ECPu+bsTjYGEy+jtb8SOfn3+IXMSb
 xr4U8YYxhhvolysAwAbliDmoN41PpCoON+xsfXxFLl8OApSw6N1pNjBuT4kbRdDt6EyT
 faqe4H5OxfIUfELqyEoSi4L8fG389weHSNLUCwseDq9hIHQ5rYRtnrFoOO9xD1RTtvWf
 bh5A==
X-Gm-Message-State: ALoCoQl8pwqcE5sMhBD+d8qQk36IldUkVHpXiCNW3gMYIvd9e+b/NbiTKZvHIjSOPp5RIPNbomEZ
MIME-Version: 1.0
X-Received: by 10.60.175.228 with SMTP id cd4mr16570159oec.83.1412201033348;
 Wed, 01 Oct 2014 15:03:53 -0700 (PDT)
Received: by 10.60.220.134 with HTTP; Wed, 1 Oct 2014 15:03:53 -0700 (PDT)
In-Reply-To: <Pine.NEB.4.64.1410012025290.15899@faeroes.freeshell.org>
References: <Pine.NEB.4.64.1410012025290.15899@faeroes.freeshell.org>
Date: Wed, 1 Oct 2014 15:03:53 -0700
Message-ID: <CAHu1Y71Nay5ekXojFn-RDHb4PRmaiBDaunxqdcTy8iaV9YuusQ@mail.gmail.com>
Subject: Re: Locked out of FreeBSD EC2 image - trying to figure out why ...
From: Michael Sierchio <kudzu@tenebras.com>
To: John Case <case@sdf.org>
Content-Type: text/plain; charset=UTF-8
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 22:04:00 -0000

On Wed, Oct 1, 2014 at 2:23 PM, John Case <case@sdf.org> wrote:
>
> I added this ipfw line to my ec2 image and then rebooted it, and am unable
> to connect over the network now:
>
>
> deny ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any
> deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4
> to any
>
>
> The private IP that my instance uses is in the 172.31.xx.xx block, so is it
> my blocking of 172.16.0.0/12 that is causing the problem ?

Yes. DHCP responses will come from an RFC1918 network, for example.
This is naive and really unnecessary - just use an appropriate EC2
security policy.  If you insist on using ipfw, you'll need to improve
your understanding of how things work.

Also - an elastic IP will not persist across stopping and starting an
instance, and you should associate it using a script inside the
instance when it starts.

- M