Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 02 Sep 2008 14:15:14 -0700
From:      Gavin Spomer <spomerg@cwu.EDU>
To:        freebsd-pf@freebsd.org
Subject:   PF is blocking inbound/outbound ssh, nothing else
Message-ID:  <48BD4A72020000900001CC0D@hermes.cwu.edu>
next in thread | raw e-mail | index | archive | help 
I've recently had to leave my firewall off on my test server because when =
I'm ssh-ed in and enable pf, I get "locked out". :( It was working fine =
before and the only change that's happened recently is our university has =
a new ip range, but I've changed that in my config. I also have a =
production FreeBSD server of which I can ssh to (thankfully) with pf =
enabled and it's pf.conf is virtually the same.

My pf config relevant to this is:=20

   #### LISTS/MACROS:
   ext_if =3D "bce0"

   #### TABLES:
   table <campusaccess> const { campus ip range omitted }

   #### OPTIONS:
   set skip on lo0=20

   #### NORMALIZATION:
   scrub in all=20

   #### FILTERING:
   # default deny everything in and log=20
   block in log on $ext_if all=20
   block out log on $ext_if all=20

   # activate spoofing
   antispoof log quick for $ext_if inet

   # ssh for <campusaccess>
   pass in on $ext_if proto tcp from <campusaccess> to $ext_if port 22 =
flags S/SA keep state

   (other rules for other services/ports that are working go here)

   # let stuff out
   pass out on $ext_if proto { tcp, udp } from any to any keep state

/var/log/messages shows entries like:

   Sep  2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation =
not permitted

tcpdump -n -e -ttt -r /var/log/pflog shows entries like:

   32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 > myserverip=
.22: P 1:97(96) ack 0 win 65535 <nop,nop,timestamp 32900581 4199243883>

and:

   2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 > =
mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326 =
<nop,nop,timestamp 3729475032 32922638>

My Mac is within the <campusaccess> defined in my tables section. Only ssh =
is being blocked. Other things like port 80 for apache, port 3306 for =
MySQL, port 8080 for Plone, etc. are all fine.

I have searched the freebsd-pf list archives, but it only allows me one =
page of search results for some reason. I have also Googled a bit and have =
finally posted here. Very confused.

Gavin Spomer
Systems Programmer
Brooks Library
Central Washington University

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BD4A72020000900001CC0D>