From owner-freebsd-pf@FreeBSD.ORG  Thu Aug  4 17:53:03 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8383A16A41F
	for <freebsd-pf@freebsd.org>; Thu,  4 Aug 2005 17:53:03 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DEA4D43D45
	for <freebsd-pf@freebsd.org>; Thu,  4 Aug 2005 17:53:02 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j74Hr3Iw004770
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Thu, 4 Aug 2005 19:53:03 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j74Hr3Ka024350;
	Thu, 4 Aug 2005 19:53:03 +0200 (MEST)
Date: Thu, 4 Aug 2005 19:53:03 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Rod <rod@supanet.net.uk>
Message-ID: <20050804175303.GI11104@insomnia.benzedrine.cx>
References: <1123177703.24009.29.camel@torgau.office.netline.net.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1123177703.24009.29.camel@torgau.office.netline.net.uk>
User-Agent: Mutt/1.5.6i
Cc: freebsd-pf@freebsd.org
Subject: Re: PF, SSH closed by remote host
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2005 17:53:03 -0000

On Thu, Aug 04, 2005 at 06:48:23PM +0100, Rod wrote:

> Have tried lists,google and multiple different variations of the above
> pf.conf but it's still happening. Any suggests?

Enable debug logging in pf (pfctl -xm), make sure all blocked packets
are logged and pflogd is running. Print the current counters values
(pfctl -si). Then reproduce the connection reset. Afterwards:

  - check /var/log/messages for any messages from pf
  - check pflog for any logged packets
  - print the counters again (pfctl -si) and check if any of them
    have increased

It might be neccessary to tcpdump one entire ssh connection (from
establishment to the point where its reset) to fully analyze the
problem, but maybe the simpler steps above will already give a hint.

Daniel