Date: Wed, 3 Sep 2008 04:08:15 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF is blocking inbound/outbound ssh, nothing else Message-ID: <200809030408.15840.max@love2party.net> In-Reply-To: <48BD4A72020000900001CC0D@hermes.cwu.edu> References: <48BD4A72020000900001CC0D@hermes.cwu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 02 September 2008 23:15:14 Gavin Spomer wrote:
> I've recently had to leave my firewall off on my test server because when
> I'm ssh-ed in and enable pf, I get "locked out". :( It was working fine
Are you saying that you can't connect to the box once you enable pf or that
the session that was used to issue the "pfctl -e" command dies? The latter is
a well-known and - I believe - well-documented problem which stems from the
way how pf handles tcp-states. In short: You have an active tcp connection
to your sshd, once you enable pf the packets for that connection will be
dropped by pf as they 1) don't match an active state and 2) [since the
connection is ongoing] don't match the "flags S/SA" setting on your rule
either. Even if you remove the "flags S/SA" part you will get in trouble if
you use window scaling.
> before and the only change that's happened recently is our university has a
> new ip range, but I've changed that in my config. I also have a production
> FreeBSD server of which I can ssh to (thankfully) with pf enabled and it's
> pf.conf is virtually the same.
>
> My pf config relevant to this is:
>
> #### LISTS/MACROS:
> ext_if = "bce0"
>
> #### TABLES:
> table <campusaccess> const { campus ip range omitted }
>
> #### OPTIONS:
> set skip on lo0
>
> #### NORMALIZATION:
> scrub in all
>
> #### FILTERING:
> # default deny everything in and log
> block in log on $ext_if all
> block out log on $ext_if all
>
> # activate spoofing
> antispoof log quick for $ext_if inet
>
> # ssh for <campusaccess>
> pass in on $ext_if proto tcp from <campusaccess> to $ext_if port 22
> flags S/SA keep state
>
> (other rules for other services/ports that are working go here)
>
> # let stuff out
> pass out on $ext_if proto { tcp, udp } from any to any keep state
>
> /var/log/messages shows entries like:
>
> Sep 2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation not
> permitted
>
> tcpdump -n -e -ttt -r /var/log/pflog shows entries like:
>
> 32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 >
> myserverip.22: P 1:97(96) ack 0 win 65535 <nop,nop,timestamp 32900581
> 4199243883>
>
> and:
>
> 2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 >
> mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326
> <nop,nop,timestamp 3729475032 32922638>
>
> My Mac is within the <campusaccess> defined in my tables section. Only ssh
> is being blocked. Other things like port 80 for apache, port 3306 for
> MySQL, port 8080 for Plone, etc. are all fine.
>
> I have searched the freebsd-pf list archives, but it only allows me one
> page of search results for some reason. I have also Googled a bit and have
> finally posted here. Very confused.
>
> Gavin Spomer
> Systems Programmer
> Brooks Library
> Central Washington University
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809030408.15840.max>