Thanks for your reply.

I don't understand what you mean when you say NAT modifications... meaning how the packets are changed on the gateway to allow them to be seen as transparent from behind??

When I do a netstat -an while connected remotley it shows the connection on SSH as coming from 203.10.10.38, but when I add a rule to allow everything from that net it still won't allow access...

I did add the rule before the divert, but i still couldn't connect until i added an allow all manually...

i also tried opening up the ssh port to everyone, with allow tcp from any to me 22 via tl0, but that wouldn't allow a connection either...

It's a bit confusing...

Thanks again,

D


From: Lowell Gilbert <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "Drew Robertson" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: IPFW Rule set question...
Date: 24 Dec 2003 16:43:49 -0500

"Drew Robertson" <[EMAIL PROTECTED]> writes:

> I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it
> is dual homed, 2 NICs one for the internal LAN one running my cable
> modem.  Everything works fine on the internal side.
>
> When accessing the box using any of those apps from work, the system
> looks to briefly connect and then returns a "Connection Lost" or
> "Connection closed by remote host error".
>
> The command setup to allow in access is as follows...
>
> 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup
> 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup

I assume these are supposed to have "keep-state" in them.
It *is* written that way in the full ruleset you posted lower down.

> when this didn't work I added another command at the start of the
> ruleset to just let everything in from a particular IP address range...
>
> 202 allow ip from 203.10.10.0/24 to any
>
> however this produced the same error...
>
> It wasn't until I allowed all from any to any that I was able to connect...


Then the packets aren't actually being seen as coming from that
address.  Maybe you're running into NAT modifications?

> When checking out the security log, it tells me that rule 820 is
> allowing access to my computer at home...

But only for SYN packets...


-- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public"

_________________________________________________________________
Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp


_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to