On 4/21/06, RW <[EMAIL PROTECTED]> wrote:
> On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote:
> > Yes. 'setup' is from "semi-stateful" firewall functionality while
> > 'keep-state' is from fully stateful one. You can't use both in
> > one rule without strange consequences. Just delete 'setu
On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote:
> On 4/20/06, Drew Tomlinson <[EMAIL PROTECTED]> wrote:
> > On 4/17/2006 2:29 PM Noah Silverman wrote:
> > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup
> > > keep-state ipfw add 00299 deny log all from any to any out via
On 4/20/06, Drew Tomlinson <[EMAIL PROTECTED]> wrote:
> On 4/17/2006 2:29 PM Noah Silverman wrote:
> > Hi,
> >
> > I have a system with a 4.11 Kernel. Unless I'm doing something very
> > wrong, there seems to be something odd with ipfw.
> >
> > Take the following rules:
> I assume above this you h
On 4/17/2006 2:29 PM Noah Silverman wrote:
Hi,
I have a system with a 4.11 Kernel. Unless I'm doing something very
wrong, there seems to be something odd with ipfw.
Take the following rules:
I assume above this you have "ipfw add check-state" defined? This is
the rule that's required to ge
Hello!
On Tue, 18 Apr 2006, Tod McQuillin wrote:
Add:
options IPFW2
...to your kernel config file and rebuild the kernel (and world also,
probably).
Yes, you need to rebuild the userland too, which means you also need
IPFW2=true in /etc/make.conf before you build world.
It's absolutely
On Mon, 17 Apr 2006, Charles Swiger wrote:
Add:
options IPFW2
...to your kernel config file and rebuild the kernel (and world also,
probably).
Yes, you need to rebuild the userland too, which means you also need
IPFW2=true in /etc/make.conf before you build world.
--
Tod
_
On Tuesday 18 April 2006 00:42, Chuck Swiger wrote:
> David Wolfskill wrote:
> > I thought check-state was fairly optional; ref:
> >
> > These dynamic rules, which have a limited lifetime, are checked at
> > the first occurrence of a check-state, keep-state or limit rule, and are
> > typ- ica
On Monday 17 April 2006 22:29, Noah Silverman wrote:
> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
> src-addr 2
> ipfw add 00499 deny log all from any to any in via bge0
>
> In theory, this should allow in SSH and nothing else.
>
What happens when you replace "limit src
--On April 17, 2006 5:20:27 PM -0700 Noah Silverman <[EMAIL PROTECTED]>
wrote:
Hi,
I doing this over an SSH connection, so I can't see console.
If I do it wrong, I get locked out and have to initiate a remote reboot.
Fun!
Once you've ssh'd in to the box. Can you ssh out?
And what does ip
Hi,
I doing this over an SSH connection, so I can't see console.
If I do it wrong, I get locked out and have to initiate a remote
reboot. Fun!
Thanks!
-N
On Apr 17, 2006, at 5:10 PM, Paul Schmehl wrote:
--On April 17, 2006 2:29:23 PM -0700 Noah Silverman
<[EMAIL PROTECTED]> wrote:
I
--On April 17, 2006 2:29:23 PM -0700 Noah Silverman <[EMAIL PROTECTED]>
wrote:
I have a system with a 4.11 Kernel. Unless I'm doing something very
wrong, there seems to be something odd with ipfw.
Take the following rules:
ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- s
I tried it with: "ipfw add 00015 check-state"
I still get locked out :(
This is the "standard" firewall from the openbsd manual (on the
website.) I don't understand why it wouldn't work "as is".
Thanks,
-N
On Apr 17, 2006, at 4:42 PM, Chuck Swiger wrote:
David Wolfskill wrote:
On Mon,
David Wolfskill wrote:
On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote:
[ ...redirected to freebsd-questions... ]
Thanks for doing that!
It seemed appropriate. :)
[ ... ]
You don't have a check-state rule anywhere, so you either need to add
one or a rule to pass establishe
On Mon, Apr 17, 2006 at 06:29:13PM -0400, Charles Swiger wrote:
> ...
> [ ...redirected to freebsd-questions... ]
Thanks for doing that!
> ...
> You don't have a check-state rule anywhere, so you either need to add
> one or a rule to pass established traffic to and from port 22.
I thought che
Hi,
I have a system with a 4.11 Kernel. Unless I'm doing something very
wrong, there seems to be something odd with ipfw.
Take the following rules:
ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-
state
ipfw add 00299 deny log all from any to any out via bge0
ipfw add
> Aye, there's the rub. Last rule is usually
> "deny ip from any to any"; somewhere above
> that, but after the setup rules is "allow ip from
> any to my.ip.add.ress established"* ... it does
> no good to allow the setup packets but no
> further data
>
> Kevin Kinsey
> DaleCo S.P.
>
> *instead
> Aye, there's the rub. Last rule is usually
> "deny ip from any to any"; somewhere above
> that, but after the setup rules is "allow ip from
> any to my.ip.add.ress established"* ... it does
> no good to allow the setup packets but no
> further data
>
> Kevin Kinsey
> DaleCo S.P.
>
> *instead
[EMAIL PROTECTED] wrote:
[snip]
You do have a rule for established connections?
Kevin Kinsey
DaleCo S.P.
you know the only rule i have for that is
add 6 deny log tcp from any to any established
I am assuming this is incorrect?
Aye, there's the rub. Last rule is usually
"deny
[snip]
>
> You do have a rule for established connections?
>
>
> Kevin Kinsey
> DaleCo S.P.
>
>
you know the only rule i have for that is
add 6 deny log tcp from any to any established
I am assuming this is incorrect?
___
[EMAIL PROTECTED] mailing l
[EMAIL PROTECTED] wrote:
I have IPFW setup, and in my ruleset i have the following line
add 04009 allot tcp from any to me dst port 80 in via x10 setup
add 04010 allow tcp from any to me dst port 25 in via xl0 setup
however if I enable the firewall and try to telnet into port 25, it cannot
connec
I have IPFW setup, and in my ruleset i have the following line
add 04009 allot tcp from any to me dst port 80 in via x10 setup
add 04010 allow tcp from any to me dst port 25 in via xl0 setup
however if I enable the firewall and try to telnet into port 25, it cannot
connect.. BUT if I disable the
21 matches
Mail list logo
