IPFW: Blocking me out. How to debug?
Matt Piechota
piechota at argolis.org
Thu Dec 20 10:35:21 PST 2007
On Thu, December 20, 2007 1:39 am, W. D. wrote:
I'm no expert on firewalls, so take this with a grain of salt.
>>> # Loopback:
>>> # Allow anything on the local loopback:
>>> add allow all from any to any via lo0
>>> add deny ip from any to 127.0.0.0/8
>>> add deny ip from 127.0.0.0/8 to any
>>Nope.
>>> # Allow established connections:
>>> add allow tcp from any to any established
>>Nope.
>>> # Deny fragmented packets:
>>> add deny ip from any to any frag
Perhaps this is the issue? I would think that if an IP fragment comes in,
it's specifically *not* an established TCP connection (yet), so it would
be blocked by this rule. No IP fragments means they don't have a chance
to be reassembled into an actual packet.
All the profiles in rc.firewall specifically allow ip frags, so I'd think
they're required.
> Could anyone please throw this tired dog a bone?
Fetch! :)
--
Matt Piechota
More information about the freebsd-security
mailing list