From owner-freebsd-pf@FreeBSD.ORG Wed Jun 5 13:54:14 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0063DF04 for ; Wed, 5 Jun 2013 13:54:13 +0000 (UTC) (envelope-from ar.molchanov@gmail.com) Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) by mx1.freebsd.org (Postfix) with ESMTP id D63CB1AD1 for ; Wed, 5 Jun 2013 13:54:13 +0000 (UTC) Received: by mail-pa0-f53.google.com with SMTP id kq13so1002561pab.26 for ; Wed, 05 Jun 2013 06:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=q/xdTs43Kep+00SfaU0zT1bOiKABsRYvn+D3f3qfqZw=; b=KrwEBNPHk0pycBcsU6FHr+YowaNOUtgQRGE8RDqazKrRjoH650DvfUAfew88dSgZc9 jAkLF30DunPZtQdiiLA/ISutboC2Z+hWxUtq+z8R0wohRYvp1hV5V2wJkODIhetj7OsJ TdIhi2SJeQBqjkOci/cgJvDg4iV13715AARgziAVWlREjaK9trvgcZA1E2dXIH34119g PmsZ9wXDaZ+93S1VytIOZtD0d8Geggmv7k4zE/ds581id6RsMaGCsJFC/hXCgPEvii7N efIpir5DYRBCTguj5osgJYyDo0Y1PtYDO6FuprlggafG3+CJG53HllEICO0PHwB6EuFA 0Udg== X-Received: by 10.66.157.104 with SMTP id wl8mr12286671pab.40.1370440453676; Wed, 05 Jun 2013 06:54:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.70.30.69 with HTTP; Wed, 5 Jun 2013 06:53:53 -0700 (PDT) From: Artiom Molchanov Date: Wed, 5 Jun 2013 15:53:53 +0200 Message-ID: Subject: Simple config works for a limited time then blocks all To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jun 2013 13:54:14 -0000 Hi All, I am trying to make my pf configured in two times. In the beginning of the boot process just load a simple ruleset with only ssh and ICMP ping enabled. Then at the end load full rule set. Full rule set works well, but when I ma trying to test my simple rules (pfctl -f /etc/pf_min.conf) I have a strange behavior: 1. ssh connection is interrupted (normal) 2. I reconnect, it works 3. 1-2 minutes later the connection is cut again, no ping, nothing is accepted on the server. 4. It is still possible to receive rtadvd messages (yes, I am using IPv6) I have 9.0-RELEASE FreeBSD 9.0-RELEASE #5 Here is my rules passed throug pfctl -vnf command: set skip on { lo } set debug loud set block-policy return ext_if = "net0" int_if = "home0" int_net = "home0:network" altq on net0 hfsc bandwidth 850Kb tbrsize 1492 queue { q_voice q_other } queue q_voice bandwidth 64Kb priority 6 hfsc( realtime 128Kb ) queue q_other bandwidth 786Kb priority 5 { q_pri q_std q_low } queue q_pri bandwidth 50% priority 3 hfsc( red realtime 96Kb ) queue q_std bandwidth 30% priority 2 hfsc( red default ) queue q_low bandwidth 20% hfsc( red upperlimit 92% ) block return in all pass out all flags S/SA keep state pass out on net0 proto udp from any to any port 33433 >< 33626 keep state label "UDP TRACEROUTE" pass out inet proto icmp all icmp-type echoreq keep state label "ICMP" pass out inet proto icmp all icmp-type unreach keep state label "ICMP" pass in on net0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state pass in on net0 inet6 proto ipv6-icmp all icmp6-type unreach keep state pass in on net0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass in on net0 inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass in on net0 inet6 proto ipv6-icmp all icmp6-type routeradv keep state pass out on net0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state pass out on net0 inet6 proto ipv6-icmp all icmp6-type unreach keep state pass out on net0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass out on net0 inet6 proto ipv6-icmp all icmp6-type routersol keep state pass out on home0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state pass out on home0 inet6 proto ipv6-icmp all icmp6-type unreach keep state pass out on home0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass out on home0 inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out on home0 inet6 proto ipv6-icmp all icmp6-type routeradv keep state pass in on home0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state pass in on home0 inet6 proto ipv6-icmp all icmp6-type unreach keep state pass in on home0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass in on home0 inet6 proto ipv6-icmp all icmp6-type routersol keep state pass quick on net0 proto tcp from any to (net0) port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60, overload flush, src.track 60) queue q_pri pass quick on home0 inet6 proto tcp from 2001:xxxx:xxxx:abc::/64 to (home0)/32 port = ssh flags S/SA keep state pass quick on home0 inet proto tcp from 192.168.17.0/24 to (home0) port = ssh flags S/SA keep state pass inet6 proto tcp from 2001:xxxx:xxxx:abc::/64 to any port = domain flags S/SA keep state pass inet6 proto udp from 2001:xxxx:xxxx:abc::/64 to any port = domain keep state pass inet proto tcp from 192.168.17.0/24 to any port = domain flags S/SA keep state pass inet proto udp from 192.168.17.0/24 to any port = domain keep state