Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 04 Aug 2005 15:52:01 -0700
From:      "Giovanni P. Tirloni" <gpt@tirloni.org>
To:        Rod <rod@supanet.net.uk>
Cc:        pf@freebsd.org
Subject:   Re: PF, SSH closed by remote host
Message-ID:  <42F29C11.8090007@tirloni.org>
In-Reply-To: <1123177703.24009.29.camel@torgau.office.netline.net.uk>
References:  <1123177703.24009.29.camel@torgau.office.netline.net.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Rod wrote:
> Hi,
> 
> I was wondering if anyone has come across this before. 
> 
> I'm running FreeBSD 5.4-RELEASE running PF from rc.conf. I ssh into this
> box as a non-root user then su. On doing a ps -auwx I instantly get
> disconnect with Connection to 192.168.2.3 closed by remote host.
> Connection to 192.168.2.3 closed.
> 
> If I disable PF everything is fine (pfctl -d.
> 
> e.g. :
> 
> lfs2# ps -auwx
> USER        PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME
> COMMAND
> root         11 99.0  0.0     0     8  ??  RL    4:48PM 152:49.91 [idle]
> root          0  0.0  0.0     0     0  ??  DLs   4:48PM   0:00.01
> [swapper]Connection to 192.168.2.3 closed by remote host.
> Connection to 192.168.2.3 closed.
> 
> rc.conf :
> 
> # Packet Filtering
> pf_enable="YES"                 # Enable PF (load module if required)
> pf_rules="/etc/pf.conf"         # rules definition file for pf
> pf_flags=""                     # additional flags for pfctl startup
> pflog_enable="YES"              # start pflogd(8)
> pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
> pflog_flags=""                  # additional flags for pflogd startup
> 
> This is my pf.conf :
> 
> ext_if="em0"
> external_addr="192.168.2.3"
> box_admins = "{192.168.2.8 192.168.2.9 192.168.20 192.168.45}"
>                                                                                                                                                           
> set fingerprints "/etc/pf.os"
> set block-policy drop
> scrub in all
> block in all
> block out all
> block in log all

  Ok, you're blocking everything in and out. Could be only "block all".

>                                                                                                                                                            #Allow Admins
> pass in on $ext_if from $box_admins to any
> 
> 
> #icmp, ping etc
> pass in on $ext_if proto icmp all
>                                                                                                                                                            
> #allow outbound and keep states
> pass out on $ext_if proto { tcp, udp, icmp } all keep state

  You are permitting the $box_admins machines to send packets but aren't 
keeping state on those connections. AFAIK, the last rule won't keep 
state for connections that arrived from outside.

  So I think adding "keep state" to that first pass rule would help.

--
Giovanni P. Tirloni

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42F29C11.8090007>