Date: Tue, 2 Sep 2008 16:23:18 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Gavin Spomer <spomerg@cwu.EDU> Cc: freebsd-pf@freebsd.org Subject: Re: PF is blocking inbound/outbound ssh, nothing else Message-ID: <20080902232318.GA80242@icarus.home.lan> In-Reply-To: <48BD4A72020000900001CC0D@hermes.cwu.edu> References: <48BD4A72020000900001CC0D@hermes.cwu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 02, 2008 at 02:15:14PM -0700, Gavin Spomer wrote:
> I've recently had to leave my firewall off on my test server because when I'm ssh-ed in and enable pf, I get "locked out". :( It was working fine before and the only change that's happened recently is our university has a new ip range, but I've changed that in my config. I also have a production FreeBSD server of which I can ssh to (thankfully) with pf enabled and it's pf.conf is virtually the same.
>
> My pf config relevant to this is:
>
> #### LISTS/MACROS:
> ext_if = "bce0"
>
> #### TABLES:
> table <campusaccess> const { campus ip range omitted }
>
> #### OPTIONS:
> set skip on lo0
>
> #### NORMALIZATION:
> scrub in all
>
> #### FILTERING:
> # default deny everything in and log
> block in log on $ext_if all
> block out log on $ext_if all
>
> # activate spoofing
> antispoof log quick for $ext_if inet
>
> # ssh for <campusaccess>
> pass in on $ext_if proto tcp from <campusaccess> to $ext_if port 22 flags S/SA keep state
>
> (other rules for other services/ports that are working go here)
>
> # let stuff out
> pass out on $ext_if proto { tcp, udp } from any to any keep state
>
> /var/log/messages shows entries like:
>
> Sep 2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation not permitted
>
> tcpdump -n -e -ttt -r /var/log/pflog shows entries like:
>
> 32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 > myserverip.22: P 1:97(96) ack 0 win 65535 <nop,nop,timestamp 32900581 4199243883>
>
> and:
>
> 2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 > mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326 <nop,nop,timestamp 3729475032 32922638>
>
> My Mac is within the <campusaccess> defined in my tables section. Only ssh is being blocked. Other things like port 80 for apache, port 3306 for MySQL, port 8080 for Plone, etc. are all fine.
>
> I have searched the freebsd-pf list archives, but it only allows me one page of search results for some reason. I have also Googled a bit and have finally posted here. Very confused.
The version of FreeBSD you're using is important here. What version?
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080902232318.GA80242>