On 4/17/2006 2:29 PM Noah Silverman wrote:
Hi,
I have a system with a 4.11 Kernel. Unless I'm doing something very
wrong, there seems to be something odd with ipfw.
Take the following rules:
I assume above this you have "ipfw add check-state" defined? This is
the rule that's required to get ipfw to check its dynamic rule set.
Without it, "keep-state" rules will never work.
ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state
ipfw add 00299 deny log all from any to any out via bge0
ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
src-addr 2
I think this line is your problem. "setup" matches the initial packet
with the syn flag set. However since you have not added "keep-state",
no rule gets added to the dynamic rule set for this connection.
Subsequent packets don't match because "syn" is not set. Thus they hit
rule 499 and are denied.
ipfw add 00499 deny log all from any to any in via bge0
In theory, this should allow in SSH and nothing else.
When I install this firewall configuration, I'm locked out of the
box. An inspection of the logs shows that rule 499 is being triggered
by an attempted incoming connection.
Can anybody help?
Also, would it be better to upgrade to ipfw2?? If so, how do I do that.
Add 'ipfw2=TRUE' to /etc/make.conf. Then the next time you build world
and kernel, you'll have ipfw2. There's probably a way to just recompile
the ipfw part but I've always just done the whole thing.
HTH,
Drew
--
Visit The Alchemist's Warehouse
Magic Tricks, DVDs, Videos, Books, & More!
http://www.alchemistswarehouse.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
