PF, SSH closed by remote host
Giovanni P. Tirloni
gpt at tirloni.org
Thu Aug 4 18:50:57 GMT 2005
Rod wrote:
> Hi,
>
> I was wondering if anyone has come across this before.
>
> I'm running FreeBSD 5.4-RELEASE running PF from rc.conf. I ssh into this
> box as a non-root user then su. On doing a ps -auwx I instantly get
> disconnect with Connection to 192.168.2.3 closed by remote host.
> Connection to 192.168.2.3 closed.
>
> If I disable PF everything is fine (pfctl -d.
>
> e.g. :
>
> lfs2# ps -auwx
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME
> COMMAND
> root 11 99.0 0.0 0 8 ?? RL 4:48PM 152:49.91 [idle]
> root 0 0.0 0.0 0 0 ?? DLs 4:48PM 0:00.01
> [swapper]Connection to 192.168.2.3 closed by remote host.
> Connection to 192.168.2.3 closed.
>
> rc.conf :
>
> # Packet Filtering
> pf_enable="YES" # Enable PF (load module if required)
> pf_rules="/etc/pf.conf" # rules definition file for pf
> pf_flags="" # additional flags for pfctl startup
> pflog_enable="YES" # start pflogd(8)
> pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
> pflog_flags="" # additional flags for pflogd startup
>
> This is my pf.conf :
>
> ext_if="em0"
> external_addr="192.168.2.3"
> box_admins = "{192.168.2.8 192.168.2.9 192.168.20 192.168.45}"
>
> set fingerprints "/etc/pf.os"
> set block-policy drop
> scrub in all
> block in all
> block out all
> block in log all
Ok, you're blocking everything in and out. Could be only "block all".
> #Allow Admins
> pass in on $ext_if from $box_admins to any
>
>
> #icmp, ping etc
> pass in on $ext_if proto icmp all
>
> #allow outbound and keep states
> pass out on $ext_if proto { tcp, udp, icmp } all keep state
You are permitting the $box_admins machines to send packets but aren't
keeping state on those connections. AFAIK, the last rule won't keep
state for connections that arrived from outside.
So I think adding "keep state" to that first pass rule would help.
--
Giovanni P. Tirloni
More information about the freebsd-pf
mailing list