Re: IPFILTER_DEFAULT_BLOCK & No route to host
From: Justin (justin_at_othius.com)
Date: 09/30/03
- Previous message: Dag-Erling Smørgrav: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- In reply to: Dag-Erling Smørgrav: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Sep 2003 11:09:39 -0400 (EDT) To: Dag-Erling Smørgrav <des@des.no>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 30 Sep 2003, Dag-Erling [iso-8859-1] Smørgrav wrote:
> echelon <e_chelon@yahoo.com> writes:
> > However, I use the following rules for the internal network interface (xl1)
> >
> > # Group 9000 (internal network interface)
> > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 23 group 9000
> > block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 21 group 9000
> > pass in quick on xl1 all group 9000
> >
> > With these rules, I believe I should able to ping and SSH the
> > freebsd box from my internal network no matter the option
> > IPFILTER_DEFAULT_BLOCK is set or not.
>
> You're only letting traffic *in*. You're not letting anything *out*.
> TCP, like love, is a two-way street.
And if you want to keep it that way from a connection, rather than packet,
point of view, use the "keep state" option on your pass in rule.
- -Justin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/eZy5dYQBw9Ox1VgRAkU/AJwNwMUIP5A+H/+T0+jkh1y1CSncjQCgrrn9
n6nmL3eMWM7NgW2pp6DhkCs=
=LOX9
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
- Previous message: Dag-Erling Smørgrav: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- In reply to: Dag-Erling Smørgrav: "Re: IPFILTER_DEFAULT_BLOCK & No route to host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
- Re: IPFILTER_DEFAULT_BLOCK & No route to host
... I believe I should able to ping and SSH the ... >> freebsd box from my
internal network no matter the option ... Version: GnuPG v1.2.3 (FreeBSD)
... (FreeBSD-Security) - Re: FreeBSDs problems as seen by the BSDForen.de community
... You cannot force a _volunteer_ to work on anything ... FreeBSD is mostly
a project of volunteers, ... tree, ... They waste it on whatever they want, no matter
... (freebsd-current) - RE: NATD Internal Network problems
... >Subject: RE: NATD Internal Network problems ... >Weird, every other router
I've used forwards all the packets properly, ... assuming the DNS server is on the outside.
... It is actually extremely easy to do the same thing on a FreeBSD box ... (freebsd-questions) - FreeBSD Security Advisory FreeBSD-SA-02:31.openssh
... SSH clients and servers communicate by exchanging discrete messages ... server
to overwrite portions of its memory with client-provided data. ... No correction details
are provided in this advisory. ... Version: GnuPG v1.0.7 (FreeBSD) ... (FreeBSD-Security) - Re: FreeBSD, SSH and "Enter Authentication Response"
... Matthew: Your suggestion worked beautifully. ... standard with FreeBSD
5.1-RELEASE. ... > SSH client software and the OpenSSH server code on FreeBSD. ...
(freebsd-questions)
