Date: Mon, 07 Apr 2008 19:14:49 -0400 From: Elliott Perrin <elliott@c7.ca> To: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf Message-ID: <1207610089.32218.140.camel@kensho.c7.ca> In-Reply-To: <003801c898fb$16a897a0$43f9c6e0$@net> References: <003801c898fb$16a897a0$43f9c6e0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2008-04-07 at 23:02 +0100, Torsten @ CNC-LONDON wrote: > Hi All > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > notices a random disconnection of persistent sessions to and from servers > with is running as PF the firewall > > > > At first I was blaming internet connectivity issues for this and try to sell > this as a as good as it gets > > Of course at first I noticed it at SSH connections and later on with ftp > NOOP connections and so on. > > This dropping causes SSH to be reconnected and ftp to stall indefinitely > until new login. > > All people starting to get quiet spooky about it, especially SSH users > because of interrupted sessions > > And tunneling > > I tried to find the reason for this > > > > Any help would be very appreciated > > > > Regards > > Torsten > > > > All kernels are compiled with: > > **************************************** > > #pf firewall start > > device pf > > device pflog > > device pfsync > > options ALTQ > > options ALTQ_CBQ # Class Bases Queuing (CBQ) > > options ALTQ_RED # Random Early Detection (RED) > > options ALTQ_RIO # RED In/Out > > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > > options ALTQ_PRIQ # Priority Queuing (PRIQ) > > options ALTQ_NOPCC # Required for SMP build > > # PF firewall end > > > > options SMP > > options QUOTA > > **************************************** > > All other options are left alone > > > > My pf.conf looks like this (sorry, changed ext IP address because I don't > trust mysrlf of having done the right thing) > > > > ***************************** > > ###MACROS > > ext_if = "em0" > > int_if = "vr0" > > ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}" > > loop_if="lo0" > > SYN_ONLY="S/FSRA" > > icmp_types = "echoreq" > > office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6, > 1.0.0.7 }" > > public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993, > 995, 8025}" > > PassiveFTP = "{ 55000 >< 59000 }" > > > > ##TABLES > > #private IP address spaces > > table <private_net> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, > 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 } > > > > # blacklist host > > table <blacklist> persist file "/usr/local/etc/pf/pf.blacklist" > > > > ## GLOBAL OPTIONS > > set block-policy return > > set loginterface $ext_if > > set optimization normal > > set skip on lo0 > > > > ## TRAFFIC NORMALIZATION > > scrub in all no-df > > scrub out all no-df > > > > ## FILTER RULES > > # in general block all connections and allow later below > > block in > > > > # allow all on loop interface > > pass quick on $loop_if > > > > # block all private ip addresses > > block in quick on $ext_if from { <private_net> } > > > > # allow any connection from the server to go out > > pass out keep state > This is your problem right here. Try pass out quick proto tcp flags S/SA keep state pass out quick proto udp keep state pass out quick proto icmp keep state You can keep your flags as S/SFRA as it is more restrictive than S/SA, but you should be examining flags for outbound TCP in order to keep state. I imagine you may be filling your state table with the way this rule is currently written > > > #allow tcp/udp connections to the above ports from external > > pass in log on $ext_if inet proto tcp from any to ($ext_if) port > $public_services flags $SYN_ONLY keep state > > pass in log on $ext_if inet proto udp from any to ($ext_if) port > $public_services keep state > > > > #allow ping request from anywhere but filter it > > pass in log inet proto icmp all icmp-type $icmp_types keep state > > > > #allow any connection from managemet IP's > > pass in log quick on $ext_if proto udp from $office_ip to $ext_if > keep state > > pass in log quick on $ext_if proto tcp from $office_ip to $ext_if > flags $SYN_ONLY keep state > > > > # blacklist spam networks and so on > > block log quick from <blacklist> to any > > block log quick from any to <blacklist> > > > > #ftp proxy rubbish for passive ftp > > pass in log on $ext_if inet proto tcp from any to any port > $PassiveFTP keep state > > pass in log on $ext_if inet proto udp from any to any port > $PassiveFTP keep state > > > > pass quick on $int_if > > > > **************************** > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1207610089.32218.140.camel>