Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 07 Apr 2008 19:14:49 -0400
From:      Elliott Perrin <elliott@c7.ca>
To:        freebsd-pf@freebsd.org
Subject:   Re: SSH Session disconnecting with pf
Message-ID:  <1207610089.32218.140.camel@kensho.c7.ca>
In-Reply-To: <003801c898fb$16a897a0$43f9c6e0$@net>
References:  <003801c898fb$16a897a0$43f9c6e0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 2008-04-07 at 23:02 +0100, Torsten @ CNC-LONDON wrote:
> Hi All
> 
> I'm running FreeBSD stable6.2  on all my servers and in the past one year I
> notices a random disconnection of persistent sessions to and from servers
> with  is running as PF the firewall
> 
>  
> 
> At first I was blaming internet connectivity issues for this and try to sell
> this as a as good as it gets
> 
> Of course at first I noticed it at SSH connections and later on with ftp
> NOOP connections and so on.
> 
> This dropping causes SSH to be reconnected and ftp to stall indefinitely
> until new login.
> 
> All people starting to get quiet spooky about it, especially SSH users
> because of interrupted sessions
> 
> And tunneling
> 
> I tried to find the reason for this 
> 
>  
> 
> Any help would be very appreciated
> 
>  
> 
> Regards
> 
> Torsten
> 
>  
> 
> All kernels are compiled with:
> 
> ****************************************
> 
> #pf firewall start
> 
> device   pf
> 
> device   pflog
> 
> device   pfsync
> 
> options         ALTQ
> 
> options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
> 
> options         ALTQ_RED        # Random Early Detection (RED)
> 
> options         ALTQ_RIO        # RED In/Out
> 
> options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
> 
> options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
> 
> options         ALTQ_NOPCC      # Required for SMP build
> 
> # PF firewall end
> 
>  
> 
> options SMP
> 
> options QUOTA
> 
> ****************************************
> 
> All other options are left alone
> 
>  
> 
> My pf.conf looks like this (sorry, changed ext IP address because I don't
> trust mysrlf of having done the right thing)
> 
>  
> 
> *****************************
> 
> ###MACROS
> 
>         ext_if = "em0"
> 
>                 int_if = "vr0"
> 
>         ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}"
> 
>         loop_if="lo0"
> 
>         SYN_ONLY="S/FSRA"
> 
>         icmp_types = "echoreq"
> 
>         office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6,
> 1.0.0.7 }"
> 
>         public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993,
> 995, 8025}"
> 
>                  PassiveFTP = "{ 55000 >< 59000 }"
> 
>  
> 
> ##TABLES
> 
> #private IP address spaces
> 
>         table <private_net> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8,
> 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 }
> 
>  
> 
> # blacklist host
> 
>         table <blacklist> persist file "/usr/local/etc/pf/pf.blacklist"
> 
>  
> 
> ## GLOBAL OPTIONS
> 
>         set block-policy return
> 
>         set loginterface $ext_if
> 
>         set optimization normal
> 
>         set skip on lo0
> 
>  
> 
> ## TRAFFIC NORMALIZATION
> 
>         scrub in all no-df
> 
>         scrub out all no-df
> 
>  
> 
> ## FILTER RULES 
> 
> # in general block all connections and allow later below
> 
>         block in
> 
>  
> 
> # allow all on loop interface
> 
>         pass quick on $loop_if
> 
>  
> 
> # block all private ip addresses
> 
>         block in quick on $ext_if from { <private_net> }
> 
>  
> 
> # allow any connection from the server to go out
> 
>         pass out keep state
> 

This is your problem right here. Try 

pass out quick proto tcp flags S/SA keep state
pass out quick proto udp keep state
pass out quick proto icmp keep state

You can keep your flags as S/SFRA as it is more restrictive than S/SA,
but you should be examining flags for outbound TCP in order to keep
state. I imagine you may be filling your state table with the way this
rule is currently written


>  
> 
> #allow tcp/udp connections to the above ports from external
> 
>         pass in log on $ext_if inet proto tcp from any to ($ext_if) port
> $public_services flags $SYN_ONLY keep state
> 
>         pass in log on $ext_if inet proto udp from any to ($ext_if) port
> $public_services keep state
> 
>  
> 
> #allow ping request from anywhere but filter it
> 
>         pass in log inet proto icmp all icmp-type $icmp_types keep state
> 
>  
> 
> #allow any connection from managemet IP's
> 
>         pass in log quick on $ext_if proto udp from $office_ip to $ext_if
> keep state
> 
>         pass in log quick on $ext_if proto tcp from $office_ip to $ext_if
> flags $SYN_ONLY keep state
> 
>  
> 
> # blacklist spam networks and so on
> 
>         block log quick from <blacklist> to any 
> 
>         block log quick from any to <blacklist>
> 
>  
> 
> #ftp proxy rubbish for passive ftp
> 
>         pass in log on $ext_if inet proto tcp from any to any port
> $PassiveFTP keep state
> 
>         pass in log on $ext_if inet proto udp from any to any port
> $PassiveFTP keep state
> 
>  
> 
>                 pass quick on $int_if
> 
>  
> 
> ****************************
> 
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1207610089.32218.140.camel>