From: "Incoming Mail List" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 18, 2002 2:13 PM Subject: ipfw rulesets
> > Can anyone tell me why the following ruleset does NOT allow telnet sessions? > > allow tcp from any to any 23 > > The only way I can get it to work is by adding, > > allow tcp from any to any established > > Isn't the format of the first rule supposed to allow incoming and outgoing > packets on port 23? no. sorry to disappoint. :) what the first rule says is "allow packets FROM any host [any port assumed] TO any host port 23]." that is all very nice. however, a telnet session consists of two types of packets in this respect. first, the outgoing packets from the client, which are exactly what the rule above allows, and second are the response packets from the server, and it is those that the first rule ignores. a return packet is like this "FROM any port 23 TO any host [certain port range]". notice that this return packet is not going to be let through by the firewall, and therefore you will not be able to get the telnet session going. what your second rule (the one with "established" in it) does, is, it allows all packets to go through which have the "ack" bit set (established simply means 'check to see if the ack bit is set in the packet'). since all tcp packet responses from the telnet server will have the ack bit set, the responses from the server (the ones that the first rule does not allow), will be allowed by the second rule. as an aside, if you want the first rule to allow incoming and outgoing, you wanna add "keep-state" to your rule, like this: allow tcp from any to any 23 keep-state or better yet allow tcp from any to any 23 out keep-state but this is a whole other can of worms. for more detail, you could always do a "man ipfw". -- dfolkins To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
