SSH Session disconnecting with pf
Torsten at CNC-LONDON
torsten at cnc-london.net
Mon Apr 7 22:00:57 UTC 2008
Hi All
I'm running FreeBSD stable6.2 on all my servers and in the past one year I
notices a random disconnection of persistent sessions to and from servers
with is running as PF the firewall
At first I was blaming internet connectivity issues for this and try to sell
this as a as good as it gets
Of course at first I noticed it at SSH connections and later on with ftp
NOOP connections and so on.
This dropping causes SSH to be reconnected and ftp to stall indefinitely
until new login.
All people starting to get quiet spooky about it, especially SSH users
because of interrupted sessions
And tunneling
I tried to find the reason for this
Any help would be very appreciated
Regards
Torsten
All kernels are compiled with:
****************************************
#pf firewall start
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
# PF firewall end
options SMP
options QUOTA
****************************************
All other options are left alone
My pf.conf looks like this (sorry, changed ext IP address because I don't
trust mysrlf of having done the right thing)
*****************************
###MACROS
ext_if = "em0"
int_if = "vr0"
ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}"
loop_if="lo0"
SYN_ONLY="S/FSRA"
icmp_types = "echoreq"
office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6,
1.0.0.7 }"
public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993,
995, 8025}"
PassiveFTP = "{ 55000 >< 59000 }"
##TABLES
#private IP address spaces
table <private_net> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 }
# blacklist host
table <blacklist> persist file "/usr/local/etc/pf/pf.blacklist"
## GLOBAL OPTIONS
set block-policy return
set loginterface $ext_if
set optimization normal
set skip on lo0
## TRAFFIC NORMALIZATION
scrub in all no-df
scrub out all no-df
## FILTER RULES
# in general block all connections and allow later below
block in
# allow all on loop interface
pass quick on $loop_if
# block all private ip addresses
block in quick on $ext_if from { <private_net> }
# allow any connection from the server to go out
pass out keep state
#allow tcp/udp connections to the above ports from external
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$public_services flags $SYN_ONLY keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port
$public_services keep state
#allow ping request from anywhere but filter it
pass in log inet proto icmp all icmp-type $icmp_types keep state
#allow any connection from managemet IP's
pass in log quick on $ext_if proto udp from $office_ip to $ext_if
keep state
pass in log quick on $ext_if proto tcp from $office_ip to $ext_if
flags $SYN_ONLY keep state
# blacklist spam networks and so on
block log quick from <blacklist> to any
block log quick from any to <blacklist>
#ftp proxy rubbish for passive ftp
pass in log on $ext_if inet proto tcp from any to any port
$PassiveFTP keep state
pass in log on $ext_if inet proto udp from any to any port
$PassiveFTP keep state
pass quick on $int_if
****************************
More information about the freebsd-pf
mailing list