PF in FreeBSD 10.0 Blocking Some SSH
Jason Hellenthal
jhellenthal at dataix.net
Mon Jan 27 21:06:25 UTC 2014
I've seen similar things happen on SSH, that were due to a combination of "scrub"ing and states expiring. Turning off scrub rules on SSH specifically cured the scenario for me but I don't see an indication of whether or not you are using that.
You could also verify the states dropping by changing the optimization to conservative.
--
Jason Hellenthal
Voice: 95.30.17.6/616
JJH48-ARIN
> On Jan 27, 2014, at 14:20, Gleb Smirnoff <glebius at FreeBSD.org> wrote:
>
> Robert,
>
> On Sun, Jan 26, 2014 at 06:19:34PM -0500, Robert Simmons wrote:
> R> Over the course of a few hours there are a handful of SSH packets that
> R> are being blocked both in and out. This does not seem to affect the
> R> SSH session, and all the blocked packets have certain flags set [FP.],
> R> [R.], [P.], [.], [F.]. The following is my ruleset abbreviated to the
> R> rules that apply to this problem:
> R>
> R> ext_if = "en0"
> R> allowed = "{ 192.168.1.10 }"
> R> std_tcp_in = "{ ssh }"
> R> block in log
> R> block out log (user)
> R> pass in quick on $ext_if proto tcp from $allowed to ($ext_if) port
> R> $std_tcp_in keep state
> R>
> R> Why are those packets being blocked?
>
> Do I understand you correct that the ssh sessions work well, but you
> see blocked packets in the pflog?
>
> --
> Totus tuus, Glebius.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20140127/29c05832/attachment.bin>
More information about the freebsd-pf
mailing list