IPFW Problems?
R. B. Riddick
arne_woerner at yahoo.com
Tue Apr 18 00:45:29 UTC 2006
--- Noah Silverman <noah at allresearch.com> wrote:
> Take the following rules:
> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-
> state
> ipfw add 00299 deny log all from any to any out via bge0
> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
> src-addr 2
> ipfw add 00499 deny log all from any to any in via bge0
>
I think rule 430 needs a keep-state, because u do not have a rule, that allows
out-going ssh packets for established tcp connections.
In addition to the before-mentioned "check-state" in the beginning u would need
a "keep-state" in rule 430...
> When I install this firewall configuration, I'm locked out of the
> box. An inspection of the logs shows that rule 499 is being
> triggered by an attempted incoming connection.
>
Hmm... That's strange... What about rule 299? There should be something about
rule 299 in the logs... Maybe I am wrong...
-Arne
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-security
mailing list