From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 23:19:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C90AE106566C for ; Mon, 7 Apr 2008 23:19:50 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 667D98FC19 for ; Mon, 7 Apr 2008 23:19:50 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 29991 invoked by uid 89); 7 Apr 2008 23:19:50 -0000 Received: by simscan 1.2.0 ppid: 29986, pid: 29988, t: 0.0793s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 7 Apr 2008 23:19:49 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <20080407230750.GA15720@eos.sc1.parodius.com> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> Content-Type: text/plain Date: Mon, 07 Apr 2008 19:17:29 -0400 Message-Id: <1207610249.32218.143.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 23:19:50 -0000 See Below On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > notices a random disconnection of persistent sessions to and from servers > > with is running as PF the firewall > > The big problem with your rules looks to be how you're determining SYN, > and how you're using keep state. > > Below are some comments. > > > SYN_ONLY="S/FSRA" > > This is very, very wrong, and probably the cause of your issues. This > should be S/SA. That is not very very wrong. Any TCP session starting up should only have the SYN flag set out of SYN FIN ACK RST. As a matter of fact this is in theory a more secure setting than S/SA (SYN out of SYN ACK). Cheers, Elliott Perrin elliott@c7.ca