From owner-freebsd-questions  Sun Apr 15 12:28:32 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 4D7ED37B42C
	for <questions@FreeBSD.ORG>; Sun, 15 Apr 2001 12:28:30 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f3FKYZt63327;
	Sun, 15 Apr 2001 15:34:36 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Sun, 15 Apr 2001 15:34:35 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Caleb Walker <cwalker@cwalk.org>
Cc: questions@FreeBSD.ORG
Subject: Re: IPFW rules
In-Reply-To: <001701c0c5d8$1f518d60$2701a8c0@cwalk.org>
Message-ID: <Pine.BSF.4.21.0104151530540.61877-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, 15 Apr 2001, Caleb Walker wrote:

> To make this simple this is what I have in my firewall for rules right now.
> I am starting here so that I can figure out what I am doing wrong. I have
> put the two port 22 rules at the top and right now it is at the bottom, so I
> have tried both..  If I remove the rule nuber 64101 why can I not ssh in?
> After I figure this out I will go ahead with the rest of my firewall
> configuration.  Thank you so much in advance for your help!
> 
> <root-10:20am>#ipfw list
> 00050 divert 8668 ip from any to any via xl0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 64000 allow tcp from any to any 22
> 64001 allow udp from any to any 22
> 64101 allow ip from any to any
> 65535 deny ip from any to any
> 

	You are missing the return traffic from port 22 to your
	client.  Keep in mind that packets are bi-directional, meaning
	you have packets coming into your machine and packets leaving.  In
	this case you are missing the packets leaving your machine.

		ipfw add 64002 allow tcp from any 22 to any

	Should do the trick.



Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
 "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message