cswiger at mac.com
Mon Apr 17 23:42:44 UTC 2006
David Wolfskill wrote:
> On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote:
>> [ ...redirected to freebsd-questions... ]
> Thanks for doing that!
It seemed appropriate. :)
[ ... ]
>> You don't have a check-state rule anywhere, so you either need to add
>> one or a rule to pass established traffic to and from port 22.
> I thought check-state was fairly optional; ref:
> These dynamic rules, which have a limited lifetime, are checked at the
> first occurrence of a check-state, keep-state or limit rule, and are typ-
> ically used to open the firewall on-demand to legitimate traffic only.
> See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa-
> tion on the stateful behaviour of ipfw.
> (from "man ipfw" on a 4.11 system).
Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" isn't
going to match inbound established traffic, right?
So the dynamic rule checking doesn't actually fire, so the "add 00499 deny log
all from any to any" rule fires and blocks it. Doing a "ipfw add 10
check-state" would probably make SSH go for the original poster...
More information about the freebsd-questions