From owner-freebsd-pf@FreeBSD.ORG Tue Jan 28 03:22:32 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1EA7CB35 for ; Tue, 28 Jan 2014 03:22:32 +0000 (UTC) Received: from mail-ee0-x22e.google.com (mail-ee0-x22e.google.com [IPv6:2a00:1450:4013:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A67C810A3 for ; Tue, 28 Jan 2014 03:22:31 +0000 (UTC) Received: by mail-ee0-f46.google.com with SMTP id c13so2547618eek.5 for ; Mon, 27 Jan 2014 19:22:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=xsA8S9Au1IYjAc79OAef1LWDfx2Rlvjxrl9zhgQaUAw=; b=UArTpPI1aLo7u4D8VPql2Y1HdR3OPBBTVrFaL2FrLWYDBiOrFLureXwimBAsbsvlCp ZPJmw9qeGa9Ihx15Phlc6W9c+pp5Yngo2XPjJGVo9eQJL5216aOdzBmXnrnFF6XbJGAb d3TXBvlTZ04ZrOHzMquB3zjEq7ylqTNZkK6Ofi2YhJ0V/xbhFwiIbyPhgeIAO4n2hTnt MxggUfHpuCnUspX0G2qFDUDV0cBttmxBiDC013xB0DqZhaIFB1jbGH8cNczN+DOWDnPO NNJe1EF03bPUy/jDidRfDtqVIPyv3cZnzteXaTFxUfuUG7Y0OOnlhQ8DsJwPfuOmMyKz NaEQ== MIME-Version: 1.0 X-Received: by 10.14.172.69 with SMTP id s45mr28807993eel.9.1390879350130; Mon, 27 Jan 2014 19:22:30 -0800 (PST) Received: by 10.15.102.76 with HTTP; Mon, 27 Jan 2014 19:22:30 -0800 (PST) In-Reply-To: <20140127192048.GS66160@FreeBSD.org> References: <20140127192048.GS66160@FreeBSD.org> Date: Mon, 27 Jan 2014 22:22:30 -0500 Message-ID: Subject: Re: PF in FreeBSD 10.0 Blocking Some SSH From: Robert Simmons To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2014 03:22:32 -0000 On Mon, Jan 27, 2014 at 2:20 PM, Gleb Smirnoff wrote: > Robert, > > On Sun, Jan 26, 2014 at 06:19:34PM -0500, Robert Simmons wrote: > R> Over the course of a few hours there are a handful of SSH packets that > R> are being blocked both in and out. This does not seem to affect the > R> SSH session, and all the blocked packets have certain flags set [FP.], > R> [R.], [P.], [.], [F.]. The following is my ruleset abbreviated to the > R> rules that apply to this problem: > R> > R> ext_if = "en0" > R> allowed = "{ 192.168.1.10 }" > R> std_tcp_in = "{ ssh }" > R> block in log > R> block out log (user) > R> pass in quick on $ext_if proto tcp from $allowed to ($ext_if) port > R> $std_tcp_in keep state > R> > R> Why are those packets being blocked? > > Do I understand you correct that the ssh sessions work well, but you > see blocked packets in the pflog? Yes, this is correct. I have not seen this in the logs since yesterday, so it may have been a network issue.