From owner-freebsd-pf@FreeBSD.ORG Mon Apr 7 22:00:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E59A71065675 for ; Mon, 7 Apr 2008 22:00:56 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 6117C8FC16 for ; Mon, 7 Apr 2008 22:00:55 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 92642 invoked by uid 90); 7 Apr 2008 22:58:39 +0100 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.032421 secs); 07 Apr 2008 21:58:39 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 7 Apr 2008 22:58:39 +0100 From: "Torsten @ CNC-LONDON" To: Date: Mon, 7 Apr 2008 23:02:33 +0100 Message-ID: <003801c898fb$16a897a0$43f9c6e0$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-gb Thread-Index: AciY+xTo5o+7l/ckRRmIwZlQfDsMdw== Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: SSH Session disconnecting with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 22:00:57 -0000 Hi All I'm running FreeBSD stable6.2 on all my servers and in the past one year I notices a random disconnection of persistent sessions to and from servers with is running as PF the firewall At first I was blaming internet connectivity issues for this and try to sell this as a as good as it gets Of course at first I noticed it at SSH connections and later on with ftp NOOP connections and so on. This dropping causes SSH to be reconnected and ftp to stall indefinitely until new login. All people starting to get quiet spooky about it, especially SSH users because of interrupted sessions And tunneling I tried to find the reason for this Any help would be very appreciated Regards Torsten All kernels are compiled with: **************************************** #pf firewall start device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build # PF firewall end options SMP options QUOTA **************************************** All other options are left alone My pf.conf looks like this (sorry, changed ext IP address because I don't trust mysrlf of having done the right thing) ***************************** ###MACROS ext_if = "em0" int_if = "vr0" ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5}" loop_if="lo0" SYN_ONLY="S/FSRA" icmp_types = "echoreq" office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4 , 1.0.0.5, 1.0.0.6, 1.0.0.7 }" public_services = "{ 13, 20, 21, 25, 37, 53, 80, 110, 443, 465, 993, 995, 8025}" PassiveFTP = "{ 55000 >< 59000 }" ##TABLES #private IP address spaces table { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 } # blacklist host table persist file "/usr/local/etc/pf/pf.blacklist" ## GLOBAL OPTIONS set block-policy return set loginterface $ext_if set optimization normal set skip on lo0 ## TRAFFIC NORMALIZATION scrub in all no-df scrub out all no-df ## FILTER RULES # in general block all connections and allow later below block in # allow all on loop interface pass quick on $loop_if # block all private ip addresses block in quick on $ext_if from { } # allow any connection from the server to go out pass out keep state #allow tcp/udp connections to the above ports from external pass in log on $ext_if inet proto tcp from any to ($ext_if) port $public_services flags $SYN_ONLY keep state pass in log on $ext_if inet proto udp from any to ($ext_if) port $public_services keep state #allow ping request from anywhere but filter it pass in log inet proto icmp all icmp-type $icmp_types keep state #allow any connection from managemet IP's pass in log quick on $ext_if proto udp from $office_ip to $ext_if keep state pass in log quick on $ext_if proto tcp from $office_ip to $ext_if flags $SYN_ONLY keep state # blacklist spam networks and so on block log quick from to any block log quick from any to #ftp proxy rubbish for passive ftp pass in log on $ext_if inet proto tcp from any to any port $PassiveFTP keep state pass in log on $ext_if inet proto udp from any to any port $PassiveFTP keep state pass quick on $int_if ****************************