IP Firewall blocks cvsup

Mon Sep 20 05:00:19 PDT 2004

On Sun, 19 Sep 2004 06:45:28 -0700
Rob <europax at comcast.net> wrote:
> Seems to work with everything else incl. ftp.  What am I doing wrong? 
> Thanks,   Rob.
> 
>
>
> block in log all
> pass out all
>
> pass out on lo all
> pass in on lo all
>
> pass out quick on bfe0 proto tcp/udp from any to any port > 1024

For quick answer, replace above line with:

pass out quick on bfe0 proto tcp/udp from any to any port > 1024 keep state
>
> pass in quick on bfe0 proto icmp all icmp-type 0
> pass in quick on bfe0 proto icmp all icmp-type 3
> pass in quick on bfe0 proto icmp all icmp-type 11
>
> block in on bfe0 proto tcp all flags S/SA
> block out on bfe0 proto tcp all flags SA/SA
>
> pass in quick on bfe0 proto tcp from any to any port = 22 flags S/SA keep state
> pass in quick on bfe0 proto tcp from any to any port = 25 flags S/SA keep state
>
>
> pass out on bfe0 proto tcp all keep state

I don't think this line makes tcp connections below stateful. You must write down
"keep state" phrase on every tcp (and udp, icmp) line you write.
>
> block return-rst in on bfe0 proto tcp from any to any port = 113
>
> pass in on bfe0 proto tcp/udp from any port = 53 to any
> pass in on bfe0 proto tcp/udp from any port = 67 to any 
> pass out on bfe0 proto tcp/udp from any port = 68 to any
> pass in on bfe0 proto tcp from any port = 80 to any

Or, add the following line here:

pass in on bfe0 proto tcp from any port = 5999 to any
>

horio shoichi