Okay Anthony, 

Here is a bit more detail on your IPFW setup. Here is the section of 
rc.firewall that is relevant what we've discussed. View this in HTML mode if 
you can. I've highlighted changes in red and my own comments in blue. I also 
noticed that you use a Netgear router in your setup. You need to make sure that 
you pass port 22 inbound connections through  your netgear router to your 
Freebsd system. That would be a setup on your netgear system.

        # set these to your network and netmask and ip
        net="192.0.2.0" # This should be set to your internal network's address
                        # Most home firewalls and routers use 192.168.1.0
        mask="255.255.255.0"    # This should be your internal network's 
netmask.
                        # Most home firewalls and routers use 255.255.255.0
        ip="192.0.2.1"          # This should be your local machines IP address.
                        # If you are using DHCP to assign an address to your 
system, this will not work as written. Fortunately, IPFW now supports the 
meta-address 'me', which resolves to all your local addresses.

        setup_loopback

        # Allow any traffic to or from my own net. This allows all computers on 
your network to talk to your computer without any restrictions.
        ${fwcmd} add pass all from ${ip} to ${net}:${mask}
        ${fwcmd} add pass all from ${net}:${mask} to ${ip}

        # Allow TCP through if setup succeeded. This allows any existing TCP 
connections to work. This way you only need one rule (setup) for each inbound 
service you want.
        ${fwcmd} add pass tcp from any to any established

        # Allow IP fragments to pass through
        ${fwcmd} add pass all from any to any frag

        # Allow setup of incoming email. This one allows outside systems to 
send e-mail to your system. If you aren't running a mail server you may want to 
remove this line. This is also the line we are going to copy to allow your ssh 
server to work.
        ${fwcmd} add pass tcp from any to ${ip} 25 setup

        # Allow inbound connections to my ssh server. This will allow anyone 
access to my system through SSH provided they can authenticate.
        ${fwcmd} add pass tcp from any to ${ip} 22 setup

        # Allow setup of outgoing TCP connections only. This is what lets you 
initiate sessions with other systems (like http, and ssh)
        ${fwcmd} add pass tcp from ${ip} to any setup

        # Disallow setup of all other TCP connections. If you put any TCP stuff 
after this it won't work because this line prevents all further TCP rules from 
being applied.
        ${fwcmd} add deny tcp from any to any setup

        # Allow DNS queries out in the world
        ${fwcmd} add pass udp from ${ip} to any 53 keep-state

        # Allow NTP queries out in the world
        ${fwcmd} add pass udp from ${ip} to any 123 keep-state

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.

On Wednesday 05 April 2006 22:27, Anthony M. Agelastos wrote:
> Thank you for your very prompt reply. I tried your suggestion and it
> didn't work. I do not know why. Is the location where I place this in
> the client profile important?
>
> I have also tried the person's actual IP address as well as the IP
> address of the router (just in case it is not doing something weird)
> to no avail.
>
> What is the easiest way of making changes to the firewall rules and
> applying them so I do not have to reboot each time? I assume a
> kldunload ipfw.ko and then a kldload ipfw.ko should do it, but I
> don't want to risk doing something incorrect while I am trying to
> debug my current problem.
>
> On Apr 5, 2006, at 10:08 PM, Ean Kingston wrote:
> > You neglected to include the 'add' in your first fwcmd.
> >
> > You may want to try something simple to start with. I haven't used
> > ipfw in a
> > while so hopefully my syntax is still good. Here is a simple
> > starting point:
> >
> > # Allow person SSH access
> > mip="xxx.xxx.xxx.xxx"       # IP Address of person
> > ${fwcmd} add allow tcp from ${mip} to me 22 in      # allow connection
> > to ssh
> > ${fwcmd} add allow tcp from me 22 to ${mip} out     # allow me to respond
> >
> > I think all you really need is this:
> >
> > # Allow setup of incoming ssh
> > ${fwcmd} add pass tcp from ${mip} to ${ip} 22 setup
> >
> > Since the rest of it should be taken care of by the rest of the
> > 'client' ipfw
> > setup.
> >
> > On Wednesday 05 April 2006 21:50, Anthony M.Agelastos wrote:
> >> Hello everyone,
> >>
> >> Allow me to preface my problem by saying that I am very ignorant when
> >> it comes to networking. I do apologize if this is trivial. In any
> >> event, I enabled the "client" ifpw firewall located in /etc/
> >> rc.firewall. This appears to work well for my needs... except for one
> >> additional item. I need someone outside of my network to have SSH
> >> access to my machine. I know his/her IP address. So, I have added
> >> some additional items to rc.firewall for this. Here is what I added.
> >>
> >>          # Allow person SSH access
> >>          mip="xxx.xxx.xxx.xxx"
> >>          ${fwcmd} allow tcp from any to any 22 out setup keep-state
> >>          ${fwcmd} add pass tcp from ${mip} to me 22 setup limit src-
> >> addr 2
> >>
> >> I have tried many, many differing variations of this from items I
> >> have found online. I cannot get any of them to work. My network setup
> >> is as follows
> >>
> >> internet -> cable modem -> netgear router -> freebsd 6.1-prerelease
> >>
> >> This user can SSH into my machine when I set the firewall to "open".
> >> Any ideas?
> >> _______________________________________________
> >> freebsd-questions@freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to
> >> "[EMAIL PROTECTED]"
> >
> > --
> > Ean Kingston, BSc, CISSP, ARO
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-
> > [EMAIL PROTECTED]"

-- 
Ean Kingston, BSc, CISSP, ARO
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to