IP Firewall blocks cvsup
horio shoichi
bugsgrief at bugsgrief.net
Mon Sep 20 05:00:19 PDT 2004
On Sun, 19 Sep 2004 06:45:28 -0700
Rob <europax at comcast.net> wrote:
> Seems to work with everything else incl. ftp. What am I doing wrong?
> Thanks, Rob.
>
>
>
> block in log all
> pass out all
>
> pass out on lo all
> pass in on lo all
>
> pass out quick on bfe0 proto tcp/udp from any to any port > 1024
For quick answer, replace above line with:
pass out quick on bfe0 proto tcp/udp from any to any port > 1024 keep state
>
> pass in quick on bfe0 proto icmp all icmp-type 0
> pass in quick on bfe0 proto icmp all icmp-type 3
> pass in quick on bfe0 proto icmp all icmp-type 11
>
> block in on bfe0 proto tcp all flags S/SA
> block out on bfe0 proto tcp all flags SA/SA
>
> pass in quick on bfe0 proto tcp from any to any port = 22 flags S/SA keep state
> pass in quick on bfe0 proto tcp from any to any port = 25 flags S/SA keep state
>
>
> pass out on bfe0 proto tcp all keep state
I don't think this line makes tcp connections below stateful. You must write down
"keep state" phrase on every tcp (and udp, icmp) line you write.
>
> block return-rst in on bfe0 proto tcp from any to any port = 113
>
> pass in on bfe0 proto tcp/udp from any port = 53 to any
> pass in on bfe0 proto tcp/udp from any port = 67 to any
> pass out on bfe0 proto tcp/udp from any port = 68 to any
> pass in on bfe0 proto tcp from any port = 80 to any
Or, add the following line here:
pass in on bfe0 proto tcp from any port = 5999 to any
>
horio shoichi
More information about the freebsd-questions
mailing list