Re: IPFW Problems

2006-04-20 Thread RW
On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote: On 4/20/06, Drew Tomlinson [EMAIL PROTECTED] wrote: On 4/17/2006 2:29 PM Noah Silverman wrote: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state ipfw add 00299 deny log all from any to any out via bge0

Re: IPFW Problems

2006-04-20 Thread Andrew Pantyukhin
On 4/21/06, RW [EMAIL PROTECTED] wrote: On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote: Yes. 'setup' is from semi-stateful firewall functionality while 'keep-state' is from fully stateful one. You can't use both in one rule without strange consequences. Just delete 'setup' words

Re: IPFW Problems

2006-04-19 Thread Drew Tomlinson
On 4/17/2006 2:29 PM Noah Silverman wrote: Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: I assume above this you have ipfw add check-state defined? This is the rule that's required to get

Re: IPFW Problems

2006-04-19 Thread Andrew Pantyukhin
On 4/20/06, Drew Tomlinson [EMAIL PROTECTED] wrote: On 4/17/2006 2:29 PM Noah Silverman wrote: Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: I assume above this you have ipfw add

Re: IPFW Problems?

2006-04-18 Thread Dmitry Pryanishnikov
Hello! On Tue, 18 Apr 2006, Tod McQuillin wrote: Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). Yes, you need to rebuild the userland too, which means you also need IPFW2=true in /etc/make.conf before you build world. It's

Re: IPFW Problems?

2006-04-17 Thread David Wolfskill
On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: ... [ ...redirected to freebsd-questions... ] Thanks for doing that! ... You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22. I thought

Re: IPFW Problems?

2006-04-17 Thread Chuck Swiger
David Wolfskill wrote: On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote: [ ...redirected to freebsd-questions... ] Thanks for doing that! It seemed appropriate. :) [ ... ] You don't have a check-state rule anywhere, so you either need to add one or a rule to pass

Re: IPFW Problems?

2006-04-17 Thread Noah Silverman
I tried it with: ipfw add 00015 check-state I still get locked out :( This is the standard firewall from the openbsd manual (on the website.) I don't understand why it wouldn't work as is. Thanks, -N On Apr 17, 2006, at 4:42 PM, Chuck Swiger wrote: David Wolfskill wrote: On Mon, Apr

Re: IPFW Problems

2006-04-17 Thread Paul Schmehl
--On April 17, 2006 2:29:23 PM -0700 Noah Silverman [EMAIL PROTECTED] wrote: I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-

Re: IPFW Problems

2006-04-17 Thread Noah Silverman
Hi, I doing this over an SSH connection, so I can't see console. If I do it wrong, I get locked out and have to initiate a remote reboot. Fun! Thanks! -N On Apr 17, 2006, at 5:10 PM, Paul Schmehl wrote: --On April 17, 2006 2:29:23 PM -0700 Noah Silverman [EMAIL PROTECTED] wrote: I

Re: IPFW Problems

2006-04-17 Thread Paul Schmehl
--On April 17, 2006 5:20:27 PM -0700 Noah Silverman [EMAIL PROTECTED] wrote: Hi, I doing this over an SSH connection, so I can't see console. If I do it wrong, I get locked out and have to initiate a remote reboot. Fun! Once you've ssh'd in to the box. Can you ssh out? And what does

Re: IPFW Problems

2006-04-17 Thread RW
On Monday 17 April 2006 22:29, Noah Silverman wrote: ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. What happens when you replace limit src-addr

Re: IPFW Problems?

2006-04-17 Thread RW
On Tuesday 18 April 2006 00:42, Chuck Swiger wrote: David Wolfskill wrote: I thought check-state was fairly optional; ref: These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a check-state, keep-state or limit rule, and are typ- ically used

Re: IPFW Problems?

2006-04-17 Thread Tod McQuillin
On Mon, 17 Apr 2006, Charles Swiger wrote: Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). Yes, you need to rebuild the userland too, which means you also need IPFW2=true in /etc/make.conf before you build world. -- Tod

Re: IPFW problems connecting to port 25!

2004-03-11 Thread Kevin D. Kinsey, DaleCo, S.P.
[EMAIL PROTECTED] wrote: I have IPFW setup, and in my ruleset i have the following line add 04009 allot tcp from any to me dst port 80 in via x10 setup add 04010 allow tcp from any to me dst port 25 in via xl0 setup however if I enable the firewall and try to telnet into port 25, it cannot

Re: IPFW problems connecting to port 25!

2004-03-11 Thread whizkid
[snip] You do have a rule for established connections? Kevin Kinsey DaleCo S.P. you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? ___ [EMAIL PROTECTED] mailing list

Re: IPFW problems connecting to port 25!

2004-03-11 Thread Kevin D. Kinsey, DaleCo, S.P.
[EMAIL PROTECTED] wrote: [snip] You do have a rule for established connections? Kevin Kinsey DaleCo S.P. you know the only rule i have for that is add 6 deny log tcp from any to any established I am assuming this is incorrect? Aye, there's the rub. Last rule is usually deny

Re: IPFW problems connecting to port 25!

2004-03-11 Thread whizkid
Aye, there's the rub. Last rule is usually deny ip from any to any; somewhere above that, but after the setup rules is allow ip from any to my.ip.add.ress established* ... it does no good to allow the setup packets but no further data Kevin Kinsey DaleCo S.P. *instead of allow ip