Re: IPFW: Blocking me out. How to debug?
On Thu, December 20, 2007 1:39 am, W. D. wrote:
I'm no expert on firewalls, so take this with a grain of salt.
>>> # Loopback:
>>> # Allow anything on the local loopback:
>>> add allow all from any to any via lo0
>>> add deny ip from any to 127.0.0.0/8
>>> add deny ip from 127.0.0.0/8 to any
>>Nope.
>>> # Allow established connections:
>>> add allow tcp from any to any established
>>Nope.
>>> # Deny fragmented packets:
>>> add deny ip from any to any frag
Perhaps this is the issue? I would think that if an IP fragment comes in,
it's specifically *not* an established TCP connection (yet), so it would
be blocked by this rule. No IP fragments means they don't have a chance
to be reassembled into an actual packet.
All the profiles in rc.firewall specifically allow ip frags, so I'd think
they're required.
> Could anyone please throw this tired dog a bone?
Fetch! :)
--
Matt Piechota
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 7 之 11 篇):