From owner-freebsd-pf@FreeBSD.ORG Tue Sep 2 22:04:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 386651065673 for ; Tue, 2 Sep 2008 22:04:32 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from charybdis.cts.cwu.edu (charybdis.cts.cwu.edu [198.104.67.152]) by mx1.freebsd.org (Postfix) with ESMTP id 18D7F8FC18 for ; Tue, 2 Sep 2008 22:04:31 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.CHARYBDIS.CTS.CWU.EDU by CHARYBDIS.CTS.CWU.EDU (PMDF V6.4 #31640) id <01MZ37OBBSO0000CL4@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 02 Sep 2008 14:15:19 -0700 (PDT) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by CHARYBDIS.CTS.CWU.EDU (PMDF V6.4 #31640) with ESMTP id <01MZ37OB4JS4000D6M@CHARYBDIS.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 02 Sep 2008 14:15:19 -0700 (PDT) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Tue, 02 Sep 2008 14:15:18 -0700 Date: Tue, 02 Sep 2008 14:15:14 -0700 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <48BD4A72020000900001CC0D@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.3 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: PF is blocking inbound/outbound ssh, nothing else X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2008 22:04:32 -0000 I've recently had to leave my firewall off on my test server because when = I'm ssh-ed in and enable pf, I get "locked out". :( It was working fine = before and the only change that's happened recently is our university has = a new ip range, but I've changed that in my config. I also have a = production FreeBSD server of which I can ssh to (thankfully) with pf = enabled and it's pf.conf is virtually the same. My pf config relevant to this is:=20 #### LISTS/MACROS: ext_if =3D "bce0" #### TABLES: table const { campus ip range omitted } #### OPTIONS: set skip on lo0=20 #### NORMALIZATION: scrub in all=20 #### FILTERING: # default deny everything in and log=20 block in log on $ext_if all=20 block out log on $ext_if all=20 # activate spoofing antispoof log quick for $ext_if inet # ssh for pass in on $ext_if proto tcp from to $ext_if port 22 = flags S/SA keep state (other rules for other services/ports that are working go here) # let stuff out pass out on $ext_if proto { tcp, udp } from any to any keep state /var/log/messages shows entries like: Sep 2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation = not permitted tcpdump -n -e -ttt -r /var/log/pflog shows entries like: 32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 > myserverip= .22: P 1:97(96) ack 0 win 65535 and: 2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 > = mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326 = My Mac is within the defined in my tables section. Only ssh = is being blocked. Other things like port 80 for apache, port 3306 for = MySQL, port 8080 for Plone, etc. are all fine. I have searched the freebsd-pf list archives, but it only allows me one = page of search results for some reason. I have also Googled a bit and have = finally posted here. Very confused. Gavin Spomer Systems Programmer Brooks Library Central Washington University