I tried it with: "ipfw add 00015 check-state"
I still get locked out :(
This is the "standard" firewall from the openbsd manual (on the
website.) I don't understand why it wouldn't work "as is".
Thanks,
-N
On Apr 17, 2006, at 4:42 PM, Chuck Swiger wrote:
David Wolfskill wrote:
On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote:
[ ...redirected to freebsd-questions... ]
Thanks for doing that!
It seemed appropriate. :)
[ ... ]
You don't have a check-state rule anywhere, so you either need to
add one or a rule to pass established traffic to and from port 22.
I thought check-state was fairly optional; ref:
These dynamic rules, which have a limited lifetime, are
checked at the
first occurrence of a check-state, keep-state or limit rule,
and are typ-
ically used to open the firewall on-demand to legitimate
traffic only.
See the STATEFUL FIREWALL and EXAMPLES Sections below for
more informa-
tion on the stateful behaviour of ipfw.
(from "man ipfw" on a 4.11 system).
Yeah...but a rule like "from any to any 22 out via bge0 setup keep-
state" isn't going to match inbound established traffic, right?
So the dynamic rule checking doesn't actually fire, so the "add
00499 deny log all from any to any" rule fires and blocks it.
Doing a "ipfw add 10 check-state" would probably make SSH go for
the original poster...
--
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-
[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
