--Signature=_Mon__17_Nov_2003_16_24_44_+0000_a.V6C9jAi7+qEtLG
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Hi 

I have a ipf based firewall, I have the rule -

pass in quick on ex0 proto tcp from any to 10.119.6.226 port = ssh
flags S/SA keep state

ex0 is my external interface,

However when I try to connect to the machine the connection is blocked
and I get the following line in the firewall log.

17/11/2003 15:44:18.943806 ex2 @0:19 b 10.169.6.226,22 ->
10.32.160.78,34502 PR tcp len 20 552 -A IN


Rule 19 is 

block in log on ex2 from any to any

The ssh daemon seams to want to open a connection back to the source
machine on port 34502.  The only way to allow this to work is to include
a line 

pass in quick on ex2 from 10.169.6.224/27 to any keep state.

This however lets any traffic from any machine on the subnet send data
on any  port out of my 10.169.6.224 subnet. I would prefer not to do
this, is there an easier way to accomplish this or do I have to have the
blanket pass rule ?

Mark.


-----------------------------------
Mark Nelson - mn@tardis.cx
This mail is for the addressee only


--Signature=_Mon__17_Nov_2003_16_24_44_+0000_a.V6C9jAi7+qEtLG
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iQCVAwUBP7j2Upua39+wSb0dAQHaOQQAkiAOify/TeuJvJwAxW2EDwE2AvdfMzDA
qDsthGUluL3MqpqfOOJ+IOrn7RtxPI9CQcchDWa7A/eAh1B3QSmNGVo4Ei1meEw4
rfmILyrb9fk4Rwmc0No0kyKZSJL/F26HCslFjjysT3C8ajzOnUvnEJ0/2tgqjd+s
DJuVRcT7vLw=
=VHJE
-----END PGP SIGNATURE-----

--Signature=_Mon__17_Nov_2003_16_24_44_+0000_a.V6C9jAi7+qEtLG--