Date: Mon, 7 Apr 2008 16:07:50 -0700 From: Jeremy Chadwick <koitsu@freebsd.org> To: "Torsten @ CNC-LONDON" <torsten@cnc-london.net> Cc: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf Message-ID: <20080407230750.GA15720@eos.sc1.parodius.com> In-Reply-To: <003801c898fb$16a897a0$43f9c6e0$@net> References: <003801c898fb$16a897a0$43f9c6e0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote:
> I'm running FreeBSD stable6.2 on all my servers and in the past one year I
> notices a random disconnection of persistent sessions to and from servers
> with is running as PF the firewall
The big problem with your rules looks to be how you're determining SYN,
and how you're using keep state.
Below are some comments.
> SYN_ONLY="S/FSRA"
This is very, very wrong, and probably the cause of your issues. This
should be S/SA.
> # allow all on loop interface
>
> pass quick on $loop_if
You don't need this -- you're using "set skip on lo0", which causes pf
to ignore that interface. You can remove $loop_if as well.
> # block all private ip addresses
>
> block in quick on $ext_if from { <private_net> }
Use the "antispoof" directive for this, it'll work better. :-)
> # allow any connection from the server to go out
>
> pass out keep state
This is also incorrect. It'll work fine for ICMP and UDP packets, but
for TCP you'll be creating a new state table for every packet regardless
of flags, which is liable to break things. For TCP you want to keep
state only on initiate connections being made, so you should be using:
pass out quick proto tcp all flags S/SA keep state
pass out quick proto udp all keep state
pass out quick proto icmp all keep state
You can, of course, replace "flags S/SA" with $SYN_ONLY once you address
the issue above.
> #allow tcp/udp connections to the above ports from external
>
> pass in log on $ext_if inet proto tcp from any to ($ext_if) port $public_services flags $SYN_ONLY keep state
> pass in log on $ext_if inet proto udp from any to ($ext_if) port $public_services keep state
You can remove the parenthesis in "($ext_if)".
> #allow ping request from anywhere but filter it
>
> pass in log inet proto icmp all icmp-type $icmp_types keep state
The pf.conf comment here doesn't make any sense. Also, be aware ICMP is
actually quite important, so you don't want to block all ICMP protocols
and just permit echoreq. There are documents online which discuss what
blocking all ICMP types can do.
> #ftp proxy rubbish for passive ftp
>
> pass in log on $ext_if inet proto tcp from any to any port $PassiveFTP keep state
> pass in log on $ext_if inet proto udp from any to any port $PassiveFTP keep state
FTP is actually a TCP-based protocol, despite what you see in
/etc/services for ports.
> pass quick on $int_if
Consider using "set skip on $int_if" instead, if this is really what you
want.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080407230750.GA15720>