Very Computer

#I use the following IPFilter rules (tun0 is the public interface)
pass out quick on tun0 proto udp   from  any to  any keep state
pass out quick on tun0 proto icmp  from  any to  any keep state
pass out quick on tun0 proto tcp   from  any to  any keep state

#block ICMP on outside interface but allow type 0, ping,
#and type 11, traceroute, in
pass  in  log  quick  on  tun0  proto icmp from    any  to any icmp-type
0
pass  in  log  quick  on  tun0  proto icmp from    any  to any icmp-type
11
block in  log  quick  on  tun0  proto icmp from    any  to any

#block non-routed nets on the outside interface as those have to be
spoofed
block in  log  quick  on  tun0  from  10.0.0.0/8     to   any
block in  log  quick  on  tun0  from  172.16.0.0/12  to   any
block in  log  quick  on  tun0  from  192.168.0.0/16 to   any
block in  log  quick  on  tun0  from  127.0.0.0/8    to   any
block out log  quick  on  tun0  from  10.0.0.0/8     to   any
block out log  quick  on  tun0  from  172.16.0.0/12  to   any
block out log  quick  on  tun0  from  192.168.0.0/16 to   any
block out log  quick  on  tun0  from  127.0.0.0/8    to   any

#block FUP packets used by nmap to do fingerprinting
block in  log  quick  on  tun0  proto tcp   from    any to any  flags
FUP

block in  log  on    tun0 from    any to  any

#Allow Standard HTTP
pass  in  quick  on  tun0  from    any to  any port = 80

#Allow HTTPS
pass  in  quick on   tun0  from    any to  any port = 443

#allow ssh
pass  in  quick on   tun0  from    any to  any port = 22

What is wrong with this rules ?

Thanks
Sam

pass in quick on tun0           from any to any port = 22 keep state
or
pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state

HTH
Victor

Quote:> I have recently changed the ipfiltering rules as follow, it doesn't
> allow in-bound packet to my ssh port at all.

> #I use the following IPFilter rules (tun0 is the public interface)
> pass out quick on tun0 proto udp   from  any to  any keep state
> pass out quick on tun0 proto icmp  from  any to  any keep state
> pass out quick on tun0 proto tcp   from  any to  any keep state

> #block ICMP on outside interface but allow type 0, ping,
> #and type 11, traceroute, in
> pass  in  log  quick  on  tun0  proto icmp from    any  to any icmp-type
> 0
> pass  in  log  quick  on  tun0  proto icmp from    any  to any icmp-type
> 11
> block in  log  quick  on  tun0  proto icmp from    any  to any

> #block non-routed nets on the outside interface as those have to be
> spoofed
> block in  log  quick  on  tun0  from  10.0.0.0/8     to   any
> block in  log  quick  on  tun0  from  172.16.0.0/12  to   any
> block in  log  quick  on  tun0  from  192.168.0.0/16 to   any
> block in  log  quick  on  tun0  from  127.0.0.0/8    to   any
> block out log  quick  on  tun0  from  10.0.0.0/8     to   any
> block out log  quick  on  tun0  from  172.16.0.0/12  to   any
> block out log  quick  on  tun0  from  192.168.0.0/16 to   any
> block out log  quick  on  tun0  from  127.0.0.0/8    to   any

> #block FUP packets used by nmap to do fingerprinting
> block in  log  quick  on  tun0  proto tcp   from    any to any  flags
> FUP

> block in  log  on    tun0 from    any to  any

> #Allow Standard HTTP
> pass  in  quick  on  tun0  from    any to  any port = 80

> #Allow HTTPS
> pass  in  quick on   tun0  from    any to  any port = 443

> #allow ssh
> pass  in  quick on   tun0  from    any to  any port = 22

> What is wrong with this rules ?

> Thanks
> Sam

Thanks
Sam.

pass out quick on lo0 all
pass in  quick on lo0 all

2. Also, check weather default works

## Beg of File: /etc/ipf.rules
pass in all
pass out all
## End of File: /etc/ipf.rules

check that SSH is running and that it isn't a problem with something like
host.deny or tcpwrappers or stuff like that. Make sure the sshd_config isn't
set to deny some IP as well.

3. Then try this:

######################################################################
# Allow WEB and SSH to connect to the server. Allow pings too.
######################################################################
pass in quick on xl0 proto tcp  from any to any port = 22 flags S keep state
pass in quick on xl0 proto icmp from any to any icmp-type 0
pass in quick on xl0 proto icmp from any to any icmp-type 11

######################################################################
# Allow Statefull connection to outside
######################################################################
pass out quick on xl0 proto tcp/udp from any to any keep state
pass out quick on xl0 proto icmp    from any to any keep state

######################################################################
# Default DENY policy
######################################################################
block out all
block in  all