Date: Mon, 7 Apr 2008 16:07:50 -0700 From: Jeremy Chadwick <koitsu@freebsd.org> To: "Torsten @ CNC-LONDON" <torsten@cnc-london.net> Cc: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf Message-ID: <20080407230750.GA15720@eos.sc1.parodius.com> In-Reply-To: <003801c898fb$16a897a0$43f9c6e0$@net> References: <003801c898fb$16a897a0$43f9c6e0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > notices a random disconnection of persistent sessions to and from servers > with is running as PF the firewall The big problem with your rules looks to be how you're determining SYN, and how you're using keep state. Below are some comments. > SYN_ONLY="S/FSRA" This is very, very wrong, and probably the cause of your issues. This should be S/SA. > # allow all on loop interface > > pass quick on $loop_if You don't need this -- you're using "set skip on lo0", which causes pf to ignore that interface. You can remove $loop_if as well. > # block all private ip addresses > > block in quick on $ext_if from { <private_net> } Use the "antispoof" directive for this, it'll work better. :-) > # allow any connection from the server to go out > > pass out keep state This is also incorrect. It'll work fine for ICMP and UDP packets, but for TCP you'll be creating a new state table for every packet regardless of flags, which is liable to break things. For TCP you want to keep state only on initiate connections being made, so you should be using: pass out quick proto tcp all flags S/SA keep state pass out quick proto udp all keep state pass out quick proto icmp all keep state You can, of course, replace "flags S/SA" with $SYN_ONLY once you address the issue above. > #allow tcp/udp connections to the above ports from external > > pass in log on $ext_if inet proto tcp from any to ($ext_if) port $public_services flags $SYN_ONLY keep state > pass in log on $ext_if inet proto udp from any to ($ext_if) port $public_services keep state You can remove the parenthesis in "($ext_if)". > #allow ping request from anywhere but filter it > > pass in log inet proto icmp all icmp-type $icmp_types keep state The pf.conf comment here doesn't make any sense. Also, be aware ICMP is actually quite important, so you don't want to block all ICMP protocols and just permit echoreq. There are documents online which discuss what blocking all ICMP types can do. > #ftp proxy rubbish for passive ftp > > pass in log on $ext_if inet proto tcp from any to any port $PassiveFTP keep state > pass in log on $ext_if inet proto udp from any to any port $PassiveFTP keep state FTP is actually a TCP-based protocol, despite what you see in /etc/services for ports. > pass quick on $int_if Consider using "set skip on $int_if" instead, if this is really what you want. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080407230750.GA15720>