Date: Mon, 27 Jan 2014 16:06:21 -0500 From: Jason Hellenthal <jhellenthal@dataix.net> To: Gleb Smirnoff <glebius@FreeBSD.org> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: PF in FreeBSD 10.0 Blocking Some SSH Message-ID: <FA54EBD0-E7F1-43CF-A62D-4D13F5C38383@dataix.net> In-Reply-To: <20140127192048.GS66160@FreeBSD.org> References: <CA%2BQLa9D97WytnE2Yiy6VFXDrhcgLcpPGf2zB16urjf2Ms%2BrzFg@mail.gmail.com> <20140127192048.GS66160@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I've seen similar things happen on SSH, that were due to a combination of "scrub"ing and states expiring. Turning off scrub rules on SSH specifically cured the scenario for me but I don't see an indication of whether or not you are using that.
You could also verify the states dropping by changing the optimization to conservative.
--
Jason Hellenthal
Voice: 95.30.17.6/616
JJH48-ARIN
> On Jan 27, 2014, at 14:20, Gleb Smirnoff <glebius@FreeBSD.org> wrote:
>
> Robert,
>
> On Sun, Jan 26, 2014 at 06:19:34PM -0500, Robert Simmons wrote:
> R> Over the course of a few hours there are a handful of SSH packets that
> R> are being blocked both in and out. This does not seem to affect the
> R> SSH session, and all the blocked packets have certain flags set [FP.],
> R> [R.], [P.], [.], [F.]. The following is my ruleset abbreviated to the
> R> rules that apply to this problem:
> R>
> R> ext_if = "en0"
> R> allowed = "{ 192.168.1.10 }"
> R> std_tcp_in = "{ ssh }"
> R> block in log
> R> block out log (user)
> R> pass in quick on $ext_if proto tcp from $allowed to ($ext_if) port
> R> $std_tcp_in keep state
> R>
> R> Why are those packets being blocked?
>
> Do I understand you correct that the ssh sessions work well, but you
> see blocked packets in the pflog?
>
> --
> Totus tuus, Glebius.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��90000
*H
�01
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
130518085048Z
140519220947Z0H1 0
U
jhellenthal@dataix.net1%0# *H
jhellenthal@dataix.net0"0
*H
��0
�'`TmfkܨJ5u
+c'Upb`zv)&ȸXZ*VN6JvLoVoh}g
pQDŽKf/tZA˳(
"4Ԅ˻'d2h|
IBl' ^v^;'e8S99ۿVm|k8_UQtC"5l!kjZ]އQGn
\Bh!F
TsD%pV^Eӑd¨x"9
г"
f�00 U
0�0
U
0
U
%0++0
U
ڔfmVʢ$䟓0 U
#0Sr풜\|~5NԸQ0!U
0jhellenthal@dataix.net0LU
C0?0;
+70*0.+"http://www.startssl.com/policy.pdf0+00' StartCom Certification Authority0This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U
/0-0+)'%http://crl.startssl.com/crtu1-crl.crl0+009+0-http://ocsp.startssl.com/sub/class1/client/ca0B+06http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U
0http://www.startssl.com/0
*H
��{0Ӹ,52W{Ey8b
[
{7�_+P"n["-,@ŽpJ-W$ݍjWA-6z( RdIZ.
KzXє[
K6}{s+v.Qh0PͅK
hTw�0I73lz*K
v4Kkگ63;p1:ױ@)]ok>:W%XwC1þL/o8~#oP040
0
*H
�0}1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z01
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0"0
*H
��0
� -).2AUGo#G
B|NDRpM-B=o
-we5JQpa>O.#._<V
[~**pz~3WG�.ᘟMlr[<Ce6fqO"uxfWN#uicgkv$Lb%y`_{`xK'GN�00U
00U
0
U
Sr풜\|~5NԸQ0 U
#0N
@[i04hCA0f+Z0X0'+0http://ocsp.startssl.com/ca0-+0!http://www.startssl.com/sfsca.crt0[U
T0R0'%#!http://www.startssl.com/sfsca.crl0'%#!http://crl.startssl.com/sfsca.crl0U
y0w0u
+70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0
*H
��
}x,\c^
#wMq}>UK/^yX֏y frMIŲB61ymQҨݬZ0&�;@#13qۑ& ̢o 6r_;GO>*I(
74XS1r3)!LJy6Kotˆ#
_wSr
;B
ADp(fs
䰷6%.W0J3:bC<8t X1<Cn=t==wST~\wkBf|15zUP)(IjVB!OfI=bb\4-*em/нSJm7N[]'@ڽ
D9Kr>R7/|o^I@ټ'Pa
$ z9a'L)(
I}vcH]۸D*W}
m>Q|C.(,lQ000
*H
�0}1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
060917194636Z
360917194636Z0}1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0"0
*H
��0
� lF|x{3rb6 "$^wC
d̎68#nm<r
=3+/AYg}
tyL7z9RYFC҅qub4,
4ǖR=3M
;JK&/
r5w<]&6v\t%x- 0-ryF*I
cSb:̵fkt+v>mDsb ;ľSV%lQ ʿvmۿ=f
VH:KߧXP8u[C
lMp[)eݪ]̯1
ҍ{n'f
HnB?!>{
pclT\%zɢɋ,~^MXn
2n6IHiMi
y"H{ipz7
vOW`g:ԋr"Ɵƶ\R<*s
`z/ۣn&0݉W=+ŷv+*r3] KtRK�R0N0
U
00
U
0
U
N
@[i04hCA0dU
]0[0,*(&http://cert.startcom.org/sfsca-crl.crl0+)'%http://crl.startcom.org/sfsca-crl.crl0]U
T0P0L
+70;0/+#http://cert.startcom.org/policy.pdf05+)http://cert.startcom.org/intermediate.pdf0+00' Start Commercial (StartCom) Ltd.0Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://cert.startcom.org/policy.pdf0 `HB�08 `HB
+)StartCom Free SSL Certification Authority0
*H
��lf
4Ѕ^}
N8
^ߦ%K2;=D [I)f% <6+Kh9f=&9
Q{~ZWpi^X
ߌE8
^Wbz
)n(DÐ8<CMdE(\s{諱.\dns1:}Q;Mf{<Ӛ
ePu/CiyCFrd6%
8w~kjDKx,
KD4R'
]xS2݀fuٵh(a.8
gd./pǖ|eCTݥ9`4ɖp, H{
~k";*RKU"4N&",uJ}
d6/# ;sIjWxřCcMw-eriG V$ yX. ~m�>J9+u U77Cb VKel$$4"}?eQ
0j
r^1o0k001
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0 +�0 *H
1
*H
0
*H
1
140127210622Z0# *H
1*Bo[�@:50 +71001
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
*H
101
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
*H
��[I G{N盁Z[ͭB@'vy/$hC2dGsP`s-9e!@~b
}
ak_('#jW2侪9sh|9
=��[d^R$ff
b
AJ/xj&7؈8KzW5p>`Tb[rs&!S?Yow>?
qB�L`\%zQc*2������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FA54EBD0-E7F1-43CF-A62D-4D13F5C38383>