IPFILTER_DEFAULT_BLOCK & No route to host
Dag-ErlingSmørgrav
des at des.no
Tue Sep 30 07:54:47 PDT 2003
echelon <e_chelon at yahoo.com> writes:
> However, I use the following rules for the internal network interface (xl1)
>
> # Group 9000 (internal network interface)
> block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 23 group 9000
> block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 21 group 9000
> pass in quick on xl1 all group 9000
>
> With these rules, I believe I should able to ping and SSH the
> freebsd box from my internal network no matter the option
> IPFILTER_DEFAULT_BLOCK is set or not.
You're only letting traffic *in*. You're not letting anything *out*.
TCP, like love, is a two-way street.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list