Date: Wed, 5 Jun 2013 15:53:53 +0200 From: Artiom Molchanov <ar.molchanov@gmail.com> To: freebsd-pf@freebsd.org Subject: Simple config works for a limited time then blocks all Message-ID: <CALG00W5QokmZi0g7SP015nYmOZ0jbdieVo4DLv5HgfeVhYpjwg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi All,
I am trying to make my pf configured in two times. In the beginning of the
boot process just load a simple ruleset with only ssh and ICMP ping
enabled. Then at the end load full rule set.
Full rule set works well, but when I ma trying to test my simple rules
(pfctl -f /etc/pf_min.conf) I have a strange behavior:
1. ssh connection is interrupted (normal)
2. I reconnect, it works
3. 1-2 minutes later the connection is cut again, no ping, nothing is
accepted on the server.
4. It is still possible to receive rtadvd messages (yes, I am using IPv6)
I have 9.0-RELEASE FreeBSD 9.0-RELEASE #5
Here is my rules passed throug pfctl -vnf command:
set skip on { lo }
set debug loud
set block-policy return
ext_if = "net0"
int_if = "home0"
int_net = "home0:network"
altq on net0 hfsc bandwidth 850Kb tbrsize 1492 queue { q_voice q_other }
queue q_voice bandwidth 64Kb priority 6 hfsc( realtime 128Kb )
queue q_other bandwidth 786Kb priority 5 { q_pri q_std q_low }
queue q_pri bandwidth 50% priority 3 hfsc( red realtime 96Kb )
queue q_std bandwidth 30% priority 2 hfsc( red default )
queue q_low bandwidth 20% hfsc( red upperlimit 92% )
block return in all
pass out all flags S/SA keep state
pass out on net0 proto udp from any to any port 33433 >< 33626 keep state
label "UDP TRACEROUTE"
pass out inet proto icmp all icmp-type echoreq keep state label "ICMP"
pass out inet proto icmp all icmp-type unreach keep state label "ICMP"
pass in on net0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type routeradv keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type routersol keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type routeradv keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type routersol keep state
pass quick on net0 proto tcp from any to (net0) port = ssh flags S/SA keep
state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60, overload
<hammering> flush, src.track 60) queue q_pri
pass quick on home0 inet6 proto tcp from 2001:xxxx:xxxx:abc::/64 to
(home0)/32 port = ssh flags S/SA keep state
pass quick on home0 inet proto tcp from 192.168.17.0/24 to (home0) port =
ssh flags S/SA keep state
pass inet6 proto tcp from 2001:xxxx:xxxx:abc::/64 to any port = domain
flags S/SA keep state
pass inet6 proto udp from 2001:xxxx:xxxx:abc::/64 to any port = domain keep
state
pass inet proto tcp from 192.168.17.0/24 to any port = domain flags S/SA
keep state
pass inet proto udp from 192.168.17.0/24 to any port = domain keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALG00W5QokmZi0g7SP015nYmOZ0jbdieVo4DLv5HgfeVhYpjwg>