On 2006-10-12 00:53, Spiros Papadopoulos <[EMAIL PROTECTED]> wrote: > I started yesterday playing with it / testing it, but since i > want to do most of the work remotely, i stuck on this rule and > feel like keep looking until i find the solution. I paste the > whole script here just in case something else is wrong... Here > is my ipfw.rules file: > > /** Sorry for the delay. In the meanwhile, just before sent the > mail something else happened. Taking in account what you told > me about the "state" keyword, i added it to the rule 300. Then > i could not connect at all. I tried to take it off again, but > surprisingly it still doesn't allow any connections at all (not > even the user this time), hmmm... I am sending it as it was > initially, which from yesterday until my first e-mail it was > working as described previously...Now also when i run the > script with the "allowall" option gives me problems, when it > was working before. I can ping the machine and get replies but > i cannot ssh to it. It seems that i am doing something wrong > but cannot identify where */ > > #!/bin/sh > > # rules commmand prefix > addcmd="/sbin/ipfw -q add" > > # and the interface > if="xl0" > > # details of this computer > ip="192.168.1.199" > net="192.168.1.0" > mask="255.255.255.0" > bcast="192.168.1.255" > > nic="sk0" > ks="keep-state" > > # Flush out the list > /sbin/ipfw -q -f flush > > if [ "$1" = "allowall" ] > then > ${addcmd} 100 allow all from any to any via ${nic} > exit 0 > else > # Only in rare cases do you want to change these rules > ${addcmd} 50 allow all from any to any via lo0 > ${addcmd} 100 deny all from any to 127.0.0.0/8 > ${addcmd} 150 deny ip from 127.0.0.0/8 to any
These look ok. > # At the moment don't allow it > #${addcmd} 400 allow all from ${ip} to ${net}:${mask} > #${addcmd} 500 allow all from ${net}:${mask} to ${ip} Not sure why these are needed (but they are commented out). > # Allow only specific stuff and maintain the firewall for as long > # as needed to become tough enough > > # check state and keep it > ${addcmd} 200 check-state > > ${addcmd} 210 allow tcp from me to any setup ${ks} > ${addcmd} 211 allow udp from me to any ${ks} > > ${addcmd} 212 allow icmp from any to me icmptype 0, 3, 4, 11 > ${addcmd} 212 allow icmp from me to any > > # Allow Traffic to my ISP DNS server > ${addcmd} 250 allow udp from ${ip} to xx.xxx.x.xx 53 out via ${nic} > ${addcmd} 251 allow udp from xx.xxx.x.xx to ${ip} 53 in via ${nic} > > # Allow ssh from anywhere > #${addcmd} 300 allow log logamount 5 tcp from any to me 22 setup > ${ks} > #${addcmd} 301 allow tcp from any to me ssh in recv ${nic} ${ks} > setup > ${addcmd} 300 allow log logamount 5 tcp from any to any ssh {ks} > # Everything else is denied > ${addcmd} 65535 deny all from any to ${ip} > exit 0 > fi You seem to be missing a 'setup' keyword in the ssh rule :-/ I just loaded your own ruleset (with ${ip} and ${nic} set to local values) on a FreeBSD 7.0-CURRENT system here. They work fine, as far as I can tell: ,---------------------------------------------------------------- | [EMAIL PROTECTED]:/home/giorgos$ su - | Password: ******** | [EMAIL PROTECTED]:/root# ipfw -d show | 00050 168 30828 allow ip from any to any via lo0 | 00100 0 0 deny ip from any to 127.0.0.0/8 | 00150 0 0 deny ip from 127.0.0.0/8 to any | 00200 0 0 check-state | 00210 881 129402 allow tcp from me to any setup keep-state | 00211 8 965 allow udp from me to any keep-state | 00212 0 0 allow icmp from any to me icmptypes 0,3,4,11 | 00212 0 0 allow icmp from me to any | 00250 0 0 allow udp from 10.6.0.131 to any dst-port 53 out via re0 | 00251 0 0 allow udp from any to 10.6.0.131 dst-port 53 in via re0 | 00300 649 92691 allow log logamount 5 tcp from any to any dst-port 22 keep-state | 65535 154 35966 deny ip from any to any | ## Dynamic rules (12): | [EMAIL PROTECTED]:/root# `---------------------------------------------------------------- The only changes I made are: * Use 'any' instead of xx.xxx.x.xx as the UDP address. * Change ${ip} to my own address * Change ${nic} to my own interface name I can connect to other hosts and ssh back into my workstation with this ruleset :-/ Sorry, but I'm not sure why in your case this fails to work. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"