IPFW Rule set question...
Drew Robertson
the_brothel at hotmail.com
Sun Dec 28 08:34:50 PST 2003
Thanks for your reply.
I don't understand what you mean when you say NAT modifications... meaning
how the packets are changed on the gateway to allow them to be seen as
transparent from behind??
When I do a netstat -an while connected remotley it shows the connection on
SSH as coming from 203.10.10.38, but when I add a rule to allow everything
from that net it still won't allow access...
I did add the rule before the divert, but i still couldn't connect until i
added an allow all manually...
i also tried opening up the ssh port to everyone, with allow tcp from any to
me 22 via tl0, but that wouldn't allow a connection either...
It's a bit confusing...
Thanks again,
D
>From: Lowell Gilbert <freebsd-questions-local at be-well.ilk.org>
>Reply-To: freebsd-questions at freebsd.org
>To: "Drew Robertson" <the_brothel at hotmail.com>
>CC: freebsd-questions at freebsd.org
>Subject: Re: IPFW Rule set question...
>Date: 24 Dec 2003 16:43:49 -0500
>
>"Drew Robertson" <the_brothel at hotmail.com> writes:
>
> > I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it
> > is dual homed, 2 NICs one for the internal LAN one running my cable
> > modem. Everything works fine on the internal side.
> >
> > When accessing the box using any of those apps from work, the system
> > looks to briefly connect and then returns a "Connection Lost" or
> > "Connection closed by remote host error".
> >
> > The command setup to allow in access is as follows...
> >
> > 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup
> > 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup
>
>I assume these are supposed to have "keep-state" in them.
>It *is* written that way in the full ruleset you posted lower down.
>
> > when this didn't work I added another command at the start of the
> > ruleset to just let everything in from a particular IP address range...
> >
> > 202 allow ip from 203.10.10.0/24 to any
> >
> > however this produced the same error...
> >
> > It wasn't until I allowed all from any to any that I was able to
>connect...
>
>Then the packets aren't actually being seen as coming from that
>address. Maybe you're running into NAT modifications?
>
> > When checking out the security log, it tells me that rule 820 is
> > allowing access to my computer at home...
>
>But only for SYN packets...
>
>
>--
>Lowell Gilbert, embedded/networking software engineer, Boston area:
> resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
> username/password "public"
_________________________________________________________________
Hot chart ringtones and polyphonics. Go to
http://ninemsn.com.au/mobilemania/default.asp
More information about the freebsd-questions
mailing list