Date: Mon, 17 Apr 2006 19:42:44 -0400 From: Chuck Swiger <cswiger@mac.com> To: David Wolfskill <david@catwhisker.org> Cc: freeBSD List <freebsd-questions@freebsd.org> Subject: Re: IPFW Problems? Message-ID: <444427F4.2070405@mac.com> In-Reply-To: <20060417224415.GY32062@bunrab.catwhisker.org> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> <20060417224415.GY32062@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Wolfskill wrote: > On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: >> [ ...redirected to freebsd-questions... ] > > Thanks for doing that! It seemed appropriate. :) [ ... ] >> You don't have a check-state rule anywhere, so you either need to add >> one or a rule to pass established traffic to and from port 22. > > I thought check-state was fairly optional; ref: > > These dynamic rules, which have a limited lifetime, are checked at the > first occurrence of a check-state, keep-state or limit rule, and are typ- > ically used to open the firewall on-demand to legitimate traffic only. > See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa- > tion on the stateful behaviour of ipfw. > > (from "man ipfw" on a 4.11 system). Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" isn't going to match inbound established traffic, right? So the dynamic rule checking doesn't actually fire, so the "add 00499 deny log all from any to any" rule fires and blocks it. Doing a "ipfw add 10 check-state" would probably make SSH go for the original poster... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?444427F4.2070405>