SSH Session disconnecting with pf
Elliott Perrin
elliott at c7.ca
Mon Apr 7 23:17:17 UTC 2008
On Mon, 2008-04-07 at 23:02 +0100, Torsten @ CNC-LONDON wrote:
> Hi All
>
> I'm running FreeBSD stable6.2 on all my servers and in the past one year I
> notices a random disconnection of persistent sessions to and from servers
> with is running as PF the firewall
>
>
>
> At first I was blaming internet connectivity issues for this and try to sell
> this as a as good as it gets
>
> Of course at first I noticed it at SSH connections and later on with ftp
> NOOP connections and so on.
>
> This dropping causes SSH to be reconnected and ftp to stall indefinitely
> until new login.
>
> All people starting to get quiet spooky about it, especially SSH users
> because of interrupted sessions
>
> And tunneling
>
> I tried to find the reason for this
>
>
>
> Any help would be very appreciated
>
>
>
> Regards
>
> Torsten
>
>
>
> All kernels are compiled with:
>
> ****************************************
>
> #pf firewall start
>
> device pf
>
> device pflog
>
> device pfsync
>
> options ALTQ
>
> options ALTQ_CBQ # Class Bases Queuing (CBQ)
>
> options ALTQ_RED # Random Early Detection (RED)
>
> options ALTQ_RIO # RED In/Out
>
> options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
>
> options ALTQ_PRIQ # Priority Queuing (PRIQ)
>
> options ALTQ_NOPCC # Required for SMP build
>
> # PF firewall end
>
>
>
> options SMP
>
> options QUOTA
>
> ****************************************
>
> All other options are left alone
>
>
>
> My pf.conf looks like this (sorry, changed ext IP address because I don't
> trust mysrlf of having done the right thing)
>
>
>
> *****************************
>
> ###MACROS
>
> ext_if = "em0"
>
> int_if = "vr0"
>
> ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}"
>
> loop_if="lo0"
>
> SYN_ONLY="S/FSRA"
>
> icmp_types = "echoreq"
>
> office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6,
> 1.0.0.7 }"
>
> public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993,
> 995, 8025}"
>
> PassiveFTP = "{ 55000 >< 59000 }"
>
>
>
> ##TABLES
>
> #private IP address spaces
>
> table <private_net> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8,
> 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 }
>
>
>
> # blacklist host
>
> table <blacklist> persist file "/usr/local/etc/pf/pf.blacklist"
>
>
>
> ## GLOBAL OPTIONS
>
> set block-policy return
>
> set loginterface $ext_if
>
> set optimization normal
>
> set skip on lo0
>
>
>
> ## TRAFFIC NORMALIZATION
>
> scrub in all no-df
>
> scrub out all no-df
>
>
>
> ## FILTER RULES
>
> # in general block all connections and allow later below
>
> block in
>
>
>
> # allow all on loop interface
>
> pass quick on $loop_if
>
>
>
> # block all private ip addresses
>
> block in quick on $ext_if from { <private_net> }
>
>
>
> # allow any connection from the server to go out
>
> pass out keep state
>
This is your problem right here. Try
pass out quick proto tcp flags S/SA keep state
pass out quick proto udp keep state
pass out quick proto icmp keep state
You can keep your flags as S/SFRA as it is more restrictive than S/SA,
but you should be examining flags for outbound TCP in order to keep
state. I imagine you may be filling your state table with the way this
rule is currently written
>
>
> #allow tcp/udp connections to the above ports from external
>
> pass in log on $ext_if inet proto tcp from any to ($ext_if) port
> $public_services flags $SYN_ONLY keep state
>
> pass in log on $ext_if inet proto udp from any to ($ext_if) port
> $public_services keep state
>
>
>
> #allow ping request from anywhere but filter it
>
> pass in log inet proto icmp all icmp-type $icmp_types keep state
>
>
>
> #allow any connection from managemet IP's
>
> pass in log quick on $ext_if proto udp from $office_ip to $ext_if
> keep state
>
> pass in log quick on $ext_if proto tcp from $office_ip to $ext_if
> flags $SYN_ONLY keep state
>
>
>
> # blacklist spam networks and so on
>
> block log quick from <blacklist> to any
>
> block log quick from any to <blacklist>
>
>
>
> #ftp proxy rubbish for passive ftp
>
> pass in log on $ext_if inet proto tcp from any to any port
> $PassiveFTP keep state
>
> pass in log on $ext_if inet proto udp from any to any port
> $PassiveFTP keep state
>
>
>
> pass quick on $int_if
>
>
>
> ****************************
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list