pfctl -e and pfctl -d kills all connections

Abdullah Ibn Hamad Al-Marri almarrie at gmail.com
Wed Sep 19 11:07:40 PDT 2007 

Hello Guys,

Here are my full rules.

When I pfctl -e or pfctl -d all connections will die.

FreeBSD IM.WeArab.Net 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Tue Sep 18
10:06:42 CDT 2007     arabian at IM.WeArab.Net:/usr/obj/usr/src/sys/IM
i386


ext_if="fxp0"
int_if="lo0"
tcp_services = "{ domain, www, 123, 3306 }"
udp_services = "{ domain, 123, 514 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              240.0.0.0/4 }"
icmp_types = "8"
table <bruteforce> persist
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set skip on $int_if
set optimization normal
set block-policy drop
set require-order yes
set debug loud
set fingerprints "/etc/pf.os"
#scrub in all
#scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
#scrub in on $ext_if all no-df
#scrub on $ext_if  all reassemble tcp
antispoof for $ext_if inet
antispoof for $int_if
block in log on $ext_if all
block in quick on $ext_if from any to 255.255.255.255
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block quick log from <bruteforce> to any
block quick from any to <bruteforce>
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types
pass proto udp to any port $udp_services
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA synproxy state \
        (max-src-conn 200, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types
pass proto udp to any port $udp_services
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA synproxy state \
        (max-src-conn 200, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
pass out proto tcp to any flags S/SA
pass out proto { udp, icmp } to any
pass out on $ext_if inet proto udp from any to any \
             port 33433 >< 33626
# End


Do you know the cause?

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

More information about the freebsd-pf mailing list