IPFW Problems?
Charles Swiger
cswiger at mac.com
Mon Apr 17 22:29:15 UTC 2006
On Apr 17, 2006, at 5:29 PM, Noah Silverman wrote:
[ ...redirected to freebsd-questions... ]
> Take the following rules:
>
> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-
> state
> ipfw add 00299 deny log all from any to any out via bge0
> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup
> limit src-addr 2
> ipfw add 00499 deny log all from any to any in via bge0
>
> In theory, this should allow in SSH and nothing else.
>
> When I install this firewall configuration, I'm locked out of the
> box. An inspection of the logs shows that rule 499 is being
> triggered by an attempted incoming connection.
You don't have a check-state rule anywhere, so you either need to add
one or a rule to pass established traffic to and from port 22.
> Can anybody help?
>
> Also, would it be better to upgrade to ipfw2?? If so, how do I do
> that?
Add:
options IPFW2
...to your kernel config file and rebuild the kernel (and world also,
probably).
--
-Chuck
More information about the freebsd-security
mailing list