Date: Mon, 9 Jan 2012 10:37:56 -0500 From: Matt Kosht <matt.kosht@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Windows XP ssh client to FreeBSD 5.3/pf issue Message-ID: <CAHnFhBF==_d9VBxLEbvgN1NkJt6jHDXo8MeQo8rQ5CatMOo1oQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Perplexed by an issue connecting a Windows 7 client to an old FreeBSD 5.3
server. On Windows XP clients SecureCRT gets "The semaphore timeout period
has expired". PuTTY gets "Network error: Software caused connection abort".
I have no issues connecting to newer 6.x, 7.x, 8.x, 9.x BSD servers though
from Windows 7. If I switch to an XP client on same network (192.168.0.0/16) it
works. If I shutoff pf on the 5.3 server Win 7 clients can connect. So it
must be pf, but I don't see how pf would be affected by a windows OS
version. pf.conf follows
-Matt
**/etc/pf.conf (Public IPs have been obscured)
# define variables
ext_if="fxp0"
KubraIPs="{x.x.x.x/32, x.x.x.x/32, x.x.x.x/32, x.x.x.x/32,
x.x.x.x/32}"
whitelist="{192.168.0.0/16}"
# normalize packets
scrub in all
# Translation Rules:
# KUBRA Translations
rdr proto tcp from $KubraIPs to $ext_if port 443 -> 192.168.203.145 port
8443
nat from any to 192.168.203.145 port 8443 -> x.x.x.x
# Filter Rules:
# KUBRA Filters
pass in quick log on $ext_if from any to 192.168.203.145 keep state flags
S/SA
# stop all IPv6 trafic
block in quick inet6 all
block out quick inet6 all
# pass everything on loopback (lo0)
pass in quick on lo0 all
pass out quick on lo0 all
# block all badguys
table <bruteforce> persist file "/var/db/ssh-bruteforce"
pass in log quick proto tcp from $whitelist to any port ssh
block in log quick proto tcp from <bruteforce> to any port ssh
# setup a default deny policy
block in all
block out all
# allow DNS connections from anywhere
pass in quick on $ext_if proto udp from any to any port domain
pass in quick on $ext_if proto tcp from any to any port domain flags S/SA
# allow ssh connections from anywhere
pass in quick on $ext_if proto tcp from any to any port ssh keep state
flags S/S
A
# allow SNMP connections anywhere
pass in quick on $ext_if proto tcp from any to any port 161
pass in quick on $ext_if proto udp from any to any port 161
pass in quick on $ext_if proto tcp from any to any port 162
pass in quick on $ext_if proto udp from any to any port 162
# allow ntp from anywhwere
pass in quick on $ext_if proto tcp from any to any port 123
pass in quick on $ext_if proto udp from any to any port 123
# allow www from anywhere
pass in quick on $ext_if proto tcp from any to any port www flags S/SA
# allow ftp from anywhere
pass in quick log on $ext_if proto tcp from any to any port ftp flags S/SA
pass in quick on $ext_if proto tcp from any to any port 6666 flags S/SA
# allow ICMP from inside
pass in quick on $ext_if proto icmp from any to any
# allow https from anywhere for redirection
pass in quick log on $ext_if proto tcp from any to any port 443 keep state
flags
S/SA
# allow tcp/udp/icmp out keeping state
pass out quick on $ext_if proto tcp from any to any keep state
pass out on $ext_if proto {udp, icmp} all keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHnFhBF==_d9VBxLEbvgN1NkJt6jHDXo8MeQo8rQ5CatMOo1oQ>