From owner-freebsd-pf@FreeBSD.ORG Tue Sep 2 23:23:19 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C73141065670 for ; Tue, 2 Sep 2008 23:23:19 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id AE6258FC0A for ; Tue, 2 Sep 2008 23:23:19 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA02.emeryville.ca.mail.comcast.net ([76.96.30.19]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id 9occ1a00A0QkzPwA5zPKyy; Tue, 02 Sep 2008 23:23:19 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA02.emeryville.ca.mail.comcast.net with comcast id 9zPJ1a00H4v8bD78NzPJuK; Tue, 02 Sep 2008 23:23:19 +0000 X-Authority-Analysis: v=1.0 c=1 a=8LDrtCTIhU0A:10 a=dTWVyYCy3F0A:10 a=QycZ5dHgAAAA:8 a=tLEX1HqRgUI75sGrchcA:9 a=nipifZYpyg5j5GGLMu4A:7 a=pdCD4BC4YhEzJJ70NO4z3MbUdTEA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 2F2A517B81A; Tue, 2 Sep 2008 16:23:18 -0700 (PDT) Date: Tue, 2 Sep 2008 16:23:18 -0700 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080902232318.GA80242@icarus.home.lan> References: <48BD4A72020000900001CC0D@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48BD4A72020000900001CC0D@hermes.cwu.edu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: PF is blocking inbound/outbound ssh, nothing else X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2008 23:23:19 -0000 On Tue, Sep 02, 2008 at 02:15:14PM -0700, Gavin Spomer wrote: > I've recently had to leave my firewall off on my test server because when I'm ssh-ed in and enable pf, I get "locked out". :( It was working fine before and the only change that's happened recently is our university has a new ip range, but I've changed that in my config. I also have a production FreeBSD server of which I can ssh to (thankfully) with pf enabled and it's pf.conf is virtually the same. > > My pf config relevant to this is: > > #### LISTS/MACROS: > ext_if = "bce0" > > #### TABLES: > table const { campus ip range omitted } > > #### OPTIONS: > set skip on lo0 > > #### NORMALIZATION: > scrub in all > > #### FILTERING: > # default deny everything in and log > block in log on $ext_if all > block out log on $ext_if all > > # activate spoofing > antispoof log quick for $ext_if inet > > # ssh for > pass in on $ext_if proto tcp from to $ext_if port 22 flags S/SA keep state > > (other rules for other services/ports that are working go here) > > # let stuff out > pass out on $ext_if proto { tcp, udp } from any to any keep state > > /var/log/messages shows entries like: > > Sep 2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation not permitted > > tcpdump -n -e -ttt -r /var/log/pflog shows entries like: > > 32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 > myserverip.22: P 1:97(96) ack 0 win 65535 > > and: > > 2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 > mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326 > > My Mac is within the defined in my tables section. Only ssh is being blocked. Other things like port 80 for apache, port 3306 for MySQL, port 8080 for Plone, etc. are all fine. > > I have searched the freebsd-pf list archives, but it only allows me one page of search results for some reason. I have also Googled a bit and have finally posted here. Very confused. The version of FreeBSD you're using is important here. What version? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |