Thanks for your reply.

I don't understand what you mean when you say NAT modifications... meaning how the packets are changed on the gateway to allow them to be seen as transparent from behind??

When I do a netstat -an while connected remotley it shows the connection on SSH as coming from, but when I add a rule to allow everything from that net it still won't allow access...

I did add the rule before the divert, but i still couldn't connect until i added an allow all manually...

i also tried opening up the ssh port to everyone, with allow tcp from any to me 22 via tl0, but that wouldn't allow a connection either...

It's a bit confusing...

Thanks again,


From: Lowell Gilbert <[EMAIL PROTECTED]>
To: "Drew Robertson" <[EMAIL PROTECTED]>
Subject: Re: IPFW Rule set question...
Date: 24 Dec 2003 16:43:49 -0500

"Drew Robertson" <[EMAIL PROTECTED]> writes:

> I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it
> is dual homed, 2 NICs one for the internal LAN one running my cable
> modem.  Everything works fine on the internal side.
> When accessing the box using any of those apps from work, the system
> looks to briefly connect and then returns a "Connection Lost" or
> "Connection closed by remote host error".
> The command setup to allow in access is as follows...
> 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup
> 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup

I assume these are supposed to have "keep-state" in them.
It *is* written that way in the full ruleset you posted lower down.

> when this didn't work I added another command at the start of the
> ruleset to just let everything in from a particular IP address range...
> 202 allow ip from to any
> however this produced the same error...
> It wasn't until I allowed all from any to any that I was able to connect...

Then the packets aren't actually being seen as coming from that
address.  Maybe you're running into NAT modifications?

> When checking out the security log, it tells me that rule 820 is
> allowing access to my computer at home...

But only for SYN packets...

-- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at username/password "public"

Hot chart ringtones and polyphonics. Go to

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to