PF, SSH closed by remote host

Rod rod at supanet.net.uk
Thu Aug 4 18:21:16 GMT 2005 

Thanks for that here's the output, currently looking down the path that
maybe it's ssh miss-behaving 

pfctl -xm:

No ALTQ support in kernel
ALTQ related functions disabled
debug level set to 'misc'

pfctl -si:

No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:36:23             Debug: Misc
 
Hostid: 0xf7895b8a
 
State Table                          Total             Rate
  current entries                       13
  searches                           61585           28.2/s
  inserts                              322            0.1/s
  removals                             309            0.1/s
Counters
  match                                889            0.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s

ps -auwx ... disconnected ..

/var/log/messages :

Aug  4 20:10:09 host2 kernel: pf: BAD state: TCP 192.168.2.3:22
192.168.2.3:22 192.168.2.9:45297 [lo=4294559707 high=4294560735
win=33304 modulator=0] [lo=1818073202 high=1818106506 win=3140
modulator=0] 4:4 A seq=4294559707 ack=1818073202 len=1448 ackskew=0
pkts=72:121 dir=out,fwd
Aug  4 20:10:09 host2 kernel: pf: State failure on: 1       |
Aug  4 20:10:09 host2 sshd[94143]: fatal: Write failed: Operation not
permitted

pfctl -si:

No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:43:20             Debug: Misc
 
Hostid: 0xf7895b8a
 
State Table                          Total             Rate
  current entries                        1
  searches                           62446           24.0/s
  inserts                              355            0.1/s
  removals                             354            0.1/s
Counters
  match                                951            0.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s


On Thu, 2005-08-04 at 18:53, Daniel Hartmeier wrote:
> On Thu, Aug 04, 2005 at 06:48:23PM +0100, Rod wrote:
> 
> > Have tried lists,google and multiple different variations of the above
> > pf.conf but it's still happening. Any suggests?
> 
> Enable debug logging in pf (pfctl -xm), make sure all blocked packets
> are logged and pflogd is running. Print the current counters values
> (pfctl -si). Then reproduce the connection reset. Afterwards:
> 
>   - check /var/log/messages for any messages from pf
>   - check pflog for any logged packets
>   - print the counters again (pfctl -si) and check if any of them
>     have increased
> 
> It might be neccessary to tcpdump one entire ssh connection (from
> establishment to the point where its reset) to fully analyze the
> problem, but maybe the simpler steps above will already give a hint.
> 
> Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050804/e55c9eae/attachment.bin

More information about the freebsd-pf mailing list