From owner-freebsd-pf@FreeBSD.ORG Wed Sep 19 18:07:40 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30A1116A419 for ; Wed, 19 Sep 2007 18:07:40 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id A647013C461 for ; Wed, 19 Sep 2007 18:07:39 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so231956nfb for ; Wed, 19 Sep 2007 11:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=NOEETfPRF+oa7rPsdDAXaIY1CRV+XNvHDD6J5yNTUHk=; b=RgzHiQPHY1rLx4TVOU+mLKC5gPou2wxs7EEe9JHnb38Cb2NeM0jZlz4vf6plgPMnUgVK8BeoX/THdP2yOibENM/WJAmldQwkYAz+fo4X+ycFVkfEGQ0gzFWZDzIaW05IkBDzvpge3s5blZZO2q6UAdnkyc9bGMoQesUGkiUSPj4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=YjivyGThcXFwKt2JYTcckp1mMROhAVO52bfprXBRqKJFAtlAYnQtg4B2fVaLcDyS+n/hpg0t+LicnobGdnh016yAkLa+xjOSy/+bth7Q3y8UIvjznpkoazuMLTv9nSS7/Q6mZq+f24wmA5nEhdHUkq2O1JiDL3fXzrO/s+jq+AA= Received: by 10.86.70.8 with SMTP id s8mr709495fga.1190223771873; Wed, 19 Sep 2007 10:42:51 -0700 (PDT) Received: by 10.86.2.1 with HTTP; Wed, 19 Sep 2007 10:42:51 -0700 (PDT) Message-ID: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com> Date: Wed, 19 Sep 2007 20:42:51 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "FreeBSD PF Pro List" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pfctl -e and pfctl -d kills all connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2007 18:07:40 -0000 Hello Guys, Here are my full rules. When I pfctl -e or pfctl -d all connections will die. FreeBSD IM.WeArab.Net 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Tue Sep 18 10:06:42 CDT 2007 arabian@IM.WeArab.Net:/usr/obj/usr/src/sys/IM i386 ext_if="fxp0" int_if="lo0" tcp_services = "{ domain, www, 123, 3306 }" udp_services = "{ domain, 123, 514 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 240.0.0.0/4 }" icmp_types = "8" table persist set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface $ext_if set skip on $int_if set optimization normal set block-policy drop set require-order yes set debug loud set fingerprints "/etc/pf.os" #scrub in all #scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 #scrub in on $ext_if all no-df #scrub on $ext_if all reassemble tcp antispoof for $ext_if inet antispoof for $int_if block in log on $ext_if all block in quick on $ext_if from any to 255.255.255.255 block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block quick log from to any block quick from any to # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types pass proto udp to any port $udp_services # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 200, max-src-conn-rate 30/3, \ overload flush global) # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types pass proto udp to any port $udp_services # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 200, max-src-conn-rate 30/3, \ overload flush global) pass out proto tcp to any flags S/SA pass out proto { udp, icmp } to any pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 # End Do you know the cause? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/