Date: Mon, 17 Apr 2006 18:29:13 -0400 From: Charles Swiger <cswiger@mac.com> To: Noah Silverman <noah@allresearch.com> Cc: freebsd-security@freebsd.org Subject: Re: IPFW Problems? Message-ID: <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> In-Reply-To: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 17, 2006, at 5:29 PM, Noah Silverman wrote: [ ...redirected to freebsd-questions... ] > Take the following rules: > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup > limit src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection. You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22. > Can anybody help? > > Also, would it be better to upgrade to ipfw2?? If so, how do I do > that? Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD>