Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. When I install this firewall configuration, I'm locked out of the box. An inspection of the logs shows that rule 499 is being triggered by an attempted incoming connection. Can anybody help? Also, would it be better to upgrade to ipfw2?? If so, how do I do that? Thanks, -N
On Apr 17, 2006, at 5:29 PM, Noah Silverman wrote: [ ...redirected to freebsd-questions... ]> Take the following rules: > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup > limit src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection.You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22.> Can anybody help? > > Also, would it be better to upgrade to ipfw2?? If so, how do I do > that?Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). -- -Chuck
--- Noah Silverman <noah@allresearch.com> wrote:> Take the following rules: > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 >I think rule 430 needs a keep-state, because u do not have a rule, that allows out-going ssh packets for established tcp connections. In addition to the before-mentioned "check-state" in the beginning u would need a "keep-state" in rule 430...> When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection. >Hmm... That's strange... What about rule 299? There should be something about rule 299 in the logs... Maybe I am wrong... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Mon, 17 Apr 2006, Charles Swiger wrote:> Add: > > options IPFW2 > > ...to your kernel config file and rebuild the kernel (and world also, > probably).Yes, you need to rebuild the userland too, which means you also need IPFW2=true in /etc/make.conf before you build world. -- Tod