IPFW Problems
Drew Tomlinson
drew at mykitchentable.net
Thu Apr 20 00:28:27 UTC 2006
On 4/17/2006 2:29 PM Noah Silverman wrote:
> Hi,
>
> I have a system with a 4.11 Kernel. Unless I'm doing something very
> wrong, there seems to be something odd with ipfw.
>
> Take the following rules:
I assume above this you have "ipfw add check-state" defined? This is
the rule that's required to get ipfw to check its dynamic rule set.
Without it, "keep-state" rules will never work.
>
> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state
> ipfw add 00299 deny log all from any to any out via bge0
> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
> src-addr 2
I think this line is your problem. "setup" matches the initial packet
with the syn flag set. However since you have not added "keep-state",
no rule gets added to the dynamic rule set for this connection.
Subsequent packets don't match because "syn" is not set. Thus they hit
rule 499 and are denied.
> ipfw add 00499 deny log all from any to any in via bge0
>
> In theory, this should allow in SSH and nothing else.
>
> When I install this firewall configuration, I'm locked out of the
> box. An inspection of the logs shows that rule 499 is being triggered
> by an attempted incoming connection.
>
> Can anybody help?
>
> Also, would it be better to upgrade to ipfw2?? If so, how do I do that.
Add 'ipfw2=TRUE' to /etc/make.conf. Then the next time you build world
and kernel, you'll have ipfw2. There's probably a way to just recompile
the ipfw part but I've always just done the whole thing.
HTH,
Drew
--
Visit The Alchemist's Warehouse
Magic Tricks, DVDs, Videos, Books, & More!
http://www.alchemistswarehouse.com
More information about the freebsd-questions
mailing list