PF is blocking inbound/outbound ssh, nothing else

Gavin Spomer spomerg at cwu.EDU
Tue Sep 2 22:04:32 UTC 2008 

I've recently had to leave my firewall off on my test server because when I'm ssh-ed in and enable pf, I get "locked out". :( It was working fine before and the only change that's happened recently is our university has a new ip range, but I've changed that in my config. I also have a production FreeBSD server of which I can ssh to (thankfully) with pf enabled and it's pf.conf is virtually the same.

My pf config relevant to this is: 

   #### LISTS/MACROS:
   ext_if = "bce0"

   #### TABLES:
   table <campusaccess> const { campus ip range omitted }

   #### OPTIONS:
   set skip on lo0 

   #### NORMALIZATION:
   scrub in all 

   #### FILTERING:
   # default deny everything in and log 
   block in log on $ext_if all 
   block out log on $ext_if all 

   # activate spoofing
   antispoof log quick for $ext_if inet

   # ssh for <campusaccess>
   pass in on $ext_if proto tcp from <campusaccess> to $ext_if port 22 flags S/SA keep state

   (other rules for other services/ports that are working go here)

   # let stuff out
   pass out on $ext_if proto { tcp, udp } from any to any keep state

/var/log/messages shows entries like:

   Sep  2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation not permitted

tcpdump -n -e -ttt -r /var/log/pflog shows entries like:

   32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 > myserverip.22: P 1:97(96) ack 0 win 65535 <nop,nop,timestamp 32900581 4199243883>

and:

   2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 > mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326 <nop,nop,timestamp 3729475032 32922638>

My Mac is within the <campusaccess> defined in my tables section. Only ssh is being blocked. Other things like port 80 for apache, port 3306 for MySQL, port 8080 for Plone, etc. are all fine.

I have searched the freebsd-pf list archives, but it only allows me one page of search results for some reason. I have also Googled a bit and have finally posted here. Very confused.

Gavin Spomer
Systems Programmer
Brooks Library
Central Washington University

More information about the freebsd-pf mailing list