From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 18:50:57 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B060716A41F for ; Thu, 4 Aug 2005 18:50:57 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AC4543D48 for ; Thu, 4 Aug 2005 18:50:57 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id E44E34B5B5; Thu, 4 Aug 2005 15:51:28 -0300 (BRT) Received: from [127.0.0.1] (unknown [201.14.1.190]) by srv-03.bs2.com.br (Postfix) with ESMTP id A64174B5B1; Thu, 4 Aug 2005 15:51:27 -0300 (BRT) Message-ID: <42F29C11.8090007@tirloni.org> Date: Thu, 04 Aug 2005 15:52:01 -0700 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Rod References: <1123177703.24009.29.camel@torgau.office.netline.net.uk> In-Reply-To: <1123177703.24009.29.camel@torgau.office.netline.net.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: PF, SSH closed by remote host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 18:50:57 -0000 Rod wrote: > Hi, > > I was wondering if anyone has come across this before. > > I'm running FreeBSD 5.4-RELEASE running PF from rc.conf. I ssh into this > box as a non-root user then su. On doing a ps -auwx I instantly get > disconnect with Connection to 192.168.2.3 closed by remote host. > Connection to 192.168.2.3 closed. > > If I disable PF everything is fine (pfctl -d. > > e.g. : > > lfs2# ps -auwx > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME > COMMAND > root 11 99.0 0.0 0 8 ?? RL 4:48PM 152:49.91 [idle] > root 0 0.0 0.0 0 0 ?? DLs 4:48PM 0:00.01 > [swapper]Connection to 192.168.2.3 closed by remote host. > Connection to 192.168.2.3 closed. > > rc.conf : > > # Packet Filtering > pf_enable="YES" # Enable PF (load module if required) > pf_rules="/etc/pf.conf" # rules definition file for pf > pf_flags="" # additional flags for pfctl startup > pflog_enable="YES" # start pflogd(8) > pflog_logfile="/var/log/pflog" # where pflogd should store the logfile > pflog_flags="" # additional flags for pflogd startup > > This is my pf.conf : > > ext_if="em0" > external_addr="192.168.2.3" > box_admins = "{192.168.2.8 192.168.2.9 192.168.20 192.168.45}" > > set fingerprints "/etc/pf.os" > set block-policy drop > scrub in all > block in all > block out all > block in log all Ok, you're blocking everything in and out. Could be only "block all". > #Allow Admins > pass in on $ext_if from $box_admins to any > > > #icmp, ping etc > pass in on $ext_if proto icmp all > > #allow outbound and keep states > pass out on $ext_if proto { tcp, udp, icmp } all keep state You are permitting the $box_admins machines to send packets but aren't keeping state on those connections. AFAIK, the last rule won't keep state for connections that arrived from outside. So I think adding "keep state" to that first pass rule would help. -- Giovanni P. Tirloni