Date: Mon, 9 Jan 2012 10:37:56 -0500 From: Matt Kosht <matt.kosht@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Windows XP ssh client to FreeBSD 5.3/pf issue Message-ID: <CAHnFhBF==_d9VBxLEbvgN1NkJt6jHDXo8MeQo8rQ5CatMOo1oQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Perplexed by an issue connecting a Windows 7 client to an old FreeBSD 5.3 server. On Windows XP clients SecureCRT gets "The semaphore timeout period has expired". PuTTY gets "Network error: Software caused connection abort". I have no issues connecting to newer 6.x, 7.x, 8.x, 9.x BSD servers though from Windows 7. If I switch to an XP client on same network (192.168.0.0/16) it works. If I shutoff pf on the 5.3 server Win 7 clients can connect. So it must be pf, but I don't see how pf would be affected by a windows OS version. pf.conf follows -Matt **/etc/pf.conf (Public IPs have been obscured) # define variables ext_if="fxp0" KubraIPs="{x.x.x.x/32, x.x.x.x/32, x.x.x.x/32, x.x.x.x/32, x.x.x.x/32}" whitelist="{192.168.0.0/16}" # normalize packets scrub in all # Translation Rules: # KUBRA Translations rdr proto tcp from $KubraIPs to $ext_if port 443 -> 192.168.203.145 port 8443 nat from any to 192.168.203.145 port 8443 -> x.x.x.x # Filter Rules: # KUBRA Filters pass in quick log on $ext_if from any to 192.168.203.145 keep state flags S/SA # stop all IPv6 trafic block in quick inet6 all block out quick inet6 all # pass everything on loopback (lo0) pass in quick on lo0 all pass out quick on lo0 all # block all badguys table <bruteforce> persist file "/var/db/ssh-bruteforce" pass in log quick proto tcp from $whitelist to any port ssh block in log quick proto tcp from <bruteforce> to any port ssh # setup a default deny policy block in all block out all # allow DNS connections from anywhere pass in quick on $ext_if proto udp from any to any port domain pass in quick on $ext_if proto tcp from any to any port domain flags S/SA # allow ssh connections from anywhere pass in quick on $ext_if proto tcp from any to any port ssh keep state flags S/S A # allow SNMP connections anywhere pass in quick on $ext_if proto tcp from any to any port 161 pass in quick on $ext_if proto udp from any to any port 161 pass in quick on $ext_if proto tcp from any to any port 162 pass in quick on $ext_if proto udp from any to any port 162 # allow ntp from anywhwere pass in quick on $ext_if proto tcp from any to any port 123 pass in quick on $ext_if proto udp from any to any port 123 # allow www from anywhere pass in quick on $ext_if proto tcp from any to any port www flags S/SA # allow ftp from anywhere pass in quick log on $ext_if proto tcp from any to any port ftp flags S/SA pass in quick on $ext_if proto tcp from any to any port 6666 flags S/SA # allow ICMP from inside pass in quick on $ext_if proto icmp from any to any # allow https from anywhere for redirection pass in quick log on $ext_if proto tcp from any to any port 443 keep state flags S/SA # allow tcp/udp/icmp out keeping state pass out quick on $ext_if proto tcp from any to any keep state pass out on $ext_if proto {udp, icmp} all keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHnFhBF==_d9VBxLEbvgN1NkJt6jHDXo8MeQo8rQ5CatMOo1oQ>