> I use Dynamic rulesets with IPFW:
>
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add allow tcp from my-net to any setup keep-state
>
> But I also have services I need anyone on the net to get to, without me makin
> g a connection first from " my-net ". I allow such services with:
>
> allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state
>
> This works fine for 25,80, and 443. However, when I apply the same rule for S
> SH, and login to my box remotely, about 10 minutes later, the connection just
> dies, and it dies with every connection. Removing the keep-state option for
> ssh effectively closes 22 obviously. Would check-state be a better option he
> re?
>
> Michael
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-security" in the body of the message
smtp, http and https are short lived connections with very
little idle time.
ssh is a long lived connection with large amounts of idle
time. You need to have the dynamic lifetime exceed the
keep alive timer or allow established ssh connections to
continue to exist.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
