echelon <[EMAIL PROTECTED]> writes: > However, I use the following rules for the internal network interface (xl1) > > # Group 9000 (internal network interface) > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 23 > group 9000 > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 21 > group 9000 > pass in quick on xl1 all group 9000 > > With these rules, I believe I should able to ping and SSH the > freebsd box from my internal network no matter the option > IPFILTER_DEFAULT_BLOCK is set or not.
You're only letting traffic *in*. You're not letting anything *out*. TCP, like love, is a two-way street. DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
