Subject: IPF and ssh
To: None <>
From: Mark Nelson <>
List: current-users
Date: 11/17/2003 16:24:44
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit


I have a ipf based firewall, I have the rule -

pass in quick on ex0 proto tcp from any to port = ssh
flags S/SA keep state

ex0 is my external interface,

However when I try to connect to the machine the connection is blocked
and I get the following line in the firewall log.

17/11/2003 15:44:18.943806 ex2 @0:19 b,22 ->,34502 PR tcp len 20 552 -A IN

Rule 19 is 

block in log on ex2 from any to any

The ssh daemon seams to want to open a connection back to the source
machine on port 34502.  The only way to allow this to work is to include
a line 

pass in quick on ex2 from to any keep state.

This however lets any traffic from any machine on the subnet send data
on any  port out of my subnet. I would prefer not to do
this, is there an easier way to accomplish this or do I have to have the
blanket pass rule ?


Mark Nelson -
This mail is for the addressee only

Content-Type: application/pgp-signature

Version: GnuPG v1.2.2 (GNU/Linux)