Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jul 2002 18:41:48 -0000
From:      <net@wsf.at>
To:        "Didier Rwitura" <drwitura@primus.ca>, <ipfw@FreeBSD.ORG>
Subject:   Re: disconection
Message-ID:  <200207181841.g6IIfmY09684@www.wsf.at>
In-Reply-To: <005f01c22e83$e19188c0$b0120a0a@primustel.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Didier,

Didier Rwitura <drwitura@primus.ca> schrieb:

> Thanx martin and Thomas
> 
> - the auto-off is off completely .. I guess the reason  is mostly the
> firewall
> 
> - to answer Thomas
> 
> yeap i do
> here are my ipfw rules :
> 
> #allow ssh
> add 00300 allow tcp from 216.254.136.110 to any ssh in  setup keep-state
> 
> add 00301 allow tcp from any to any out setup keep-state
> 
> add 00302 allow tcp from  any ssh to any out setup keep-state

I think this rule is useless. AFAIK there will be never an
attempt to establish a connection originating from port 22
(sshd listens there)

> add 00304 allow tcp from any  to  any ssh in

This makes no sense either. You allow all traffic to port 22
but there is no rule that would let pass the responses (rule 
302 only matches SYN packets).

> add 00305 allow tcp from any to any  out setup keep-state
> 
> 
> 
> ====================================

Regarding your original problem, there are 3 options:
1) Configure ipfw to pass traffic to/from 22 without using 
'keep-state', replace 300 with:
add 00200 allow tcp from 216.254.136.110 to me ssh
add 00201 allow tcp from me 22 to 216.254.136.110
(replace '216.254...' with 'any' if you want to connect from anywhere
but check your version of sshd first! )

2) increase the lifetime of the temporary rules created by 
'keep-state'. See 'man ipfw, search for 'SYSCTL', see
'net.inet.ip.fw.dyn_ack_lifetime'.

3) Configure sshd and/or your ssh-client to use keepalives.

HTH

Thomas

P.S.: Please don't top-post, it makes it much more difficult 
to follow the thread.







To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207181841.g6IIfmY09684>