From owner-freebsd-questions@FreeBSD.ORG Mon Jan 9 16:04:35 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE930106564A for ; Mon, 9 Jan 2012 16:04:35 +0000 (UTC) (envelope-from matt.kosht@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id B953E8FC08 for ; Mon, 9 Jan 2012 16:04:35 +0000 (UTC) Received: by dakp5 with SMTP id p5so3046261dak.13 for ; Mon, 09 Jan 2012 08:04:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=MuCOqTi4gsZsw7XeJ5J5jhwgNKh6Xg5O0Kx3IeVR4cE=; b=F9MKF9kAN5GLS9rUohuVf+cFmMbDOyf/GgXtOFXKsQLcCDeUt1xm1Pl89UdpP4/f0L hVuIrmzAclDQdOTN7odOWyNoa42cfyDZuKftSnch0UbTAGRLhWc83RkBWQ/9B4tGi1Ip WpPmM1xymF0ASN6uoYlVTd91i12lQD5SYXI0A= MIME-Version: 1.0 Received: by 10.68.116.102 with SMTP id jv6mr37857342pbb.15.1326123476451; Mon, 09 Jan 2012 07:37:56 -0800 (PST) Received: by 10.68.14.228 with HTTP; Mon, 9 Jan 2012 07:37:56 -0800 (PST) Date: Mon, 9 Jan 2012 10:37:56 -0500 Message-ID: From: Matt Kosht To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Windows XP ssh client to FreeBSD 5.3/pf issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 16:04:35 -0000 Perplexed by an issue connecting a Windows 7 client to an old FreeBSD 5.3 server. On Windows XP clients SecureCRT gets "The semaphore timeout period has expired". PuTTY gets "Network error: Software caused connection abort". I have no issues connecting to newer 6.x, 7.x, 8.x, 9.x BSD servers though from Windows 7. If I switch to an XP client on same network (192.168.0.0/16) it works. If I shutoff pf on the 5.3 server Win 7 clients can connect. So it must be pf, but I don't see how pf would be affected by a windows OS version. pf.conf follows -Matt **/etc/pf.conf (Public IPs have been obscured) # define variables ext_if="fxp0" KubraIPs="{x.x.x.x/32, x.x.x.x/32, x.x.x.x/32, x.x.x.x/32, x.x.x.x/32}" whitelist="{192.168.0.0/16}" # normalize packets scrub in all # Translation Rules: # KUBRA Translations rdr proto tcp from $KubraIPs to $ext_if port 443 -> 192.168.203.145 port 8443 nat from any to 192.168.203.145 port 8443 -> x.x.x.x # Filter Rules: # KUBRA Filters pass in quick log on $ext_if from any to 192.168.203.145 keep state flags S/SA # stop all IPv6 trafic block in quick inet6 all block out quick inet6 all # pass everything on loopback (lo0) pass in quick on lo0 all pass out quick on lo0 all # block all badguys table persist file "/var/db/ssh-bruteforce" pass in log quick proto tcp from $whitelist to any port ssh block in log quick proto tcp from to any port ssh # setup a default deny policy block in all block out all # allow DNS connections from anywhere pass in quick on $ext_if proto udp from any to any port domain pass in quick on $ext_if proto tcp from any to any port domain flags S/SA # allow ssh connections from anywhere pass in quick on $ext_if proto tcp from any to any port ssh keep state flags S/S A # allow SNMP connections anywhere pass in quick on $ext_if proto tcp from any to any port 161 pass in quick on $ext_if proto udp from any to any port 161 pass in quick on $ext_if proto tcp from any to any port 162 pass in quick on $ext_if proto udp from any to any port 162 # allow ntp from anywhwere pass in quick on $ext_if proto tcp from any to any port 123 pass in quick on $ext_if proto udp from any to any port 123 # allow www from anywhere pass in quick on $ext_if proto tcp from any to any port www flags S/SA # allow ftp from anywhere pass in quick log on $ext_if proto tcp from any to any port ftp flags S/SA pass in quick on $ext_if proto tcp from any to any port 6666 flags S/SA # allow ICMP from inside pass in quick on $ext_if proto icmp from any to any # allow https from anywhere for redirection pass in quick log on $ext_if proto tcp from any to any port 443 keep state flags S/SA # allow tcp/udp/icmp out keeping state pass out quick on $ext_if proto tcp from any to any keep state pass out on $ext_if proto {udp, icmp} all keep state