|
|
|
|
|
|||||||
| Networking Network related discussions (including general TCP/IP stuff, routing, etc). |
 |
|
|
Thread Tools | Display Modes |
|
#1
December 1st, 2009, 00:01
|
|||
|
|||
Dropped SSH Connections
I have two machines with different network cards. On the first machine, when I restart anything to do with the networking, e.g. "/etc/rc.d/netif restart" or "/etc/rc.d/ipfw restart" it will maintain the ssh connection through the restart. This machine is running FreeBSD 7.2 with the following hardware:
Code:
$ pciconf -vl
...
bce0@pci0:9:0:0: class=0x020000 card=0x01b31028 chip=0x164c14e4 rev=0x12 hdr=0x00
vendor = 'Broadcom Corporation'
device = 'Broadcom NetXtreme II Gigabit Ethernet Adapter (BCM5708)'
class = network
subclass = ethernet
...
It is running this hardware: Code:
$ pciconf -vl
...
em0@pci0:5:0:0: class=0x020000 card=0x34768086 chip=0x10968086 rev=0x01 hdr=0x00
vendor = 'Intel Corporation'
device = 'Intel PRO/1000 EB (Intel PRO/1000 EB)'
class = network
subclass = ethernet
...
Any clues as to why this happens? Generally, is this likely to be a difference in hardware capabilities, or is it a software configuration problem? Thanks in advance. 
|
|
#3
December 1st, 2009, 00:58
|
|||
|
|||
|
I just double-checked. I'm now using IPFW on the 7.2 machine and PF on the 8.0 machine. Restarting netif on the 8.0 machine now maintains the connection, but restarting PF results in a dropped connection. Restarting both netif and IPFW on the 7.2 machine maintains the connection.
I'm beginning to suspect that it is actually a firewall problem. Maybe I'm missing an 'established' rule on the PF side of things. I'll change it up and report back.
|
|
#4
December 1st, 2009, 01:04
|
|||
|
|||
|
That is correct behaviour. When you restart pf using the RC script it probably clears PF's state table. You should not be adding "established" rules to a stateful firewall as that entirely defeats the point of a stateful firewall. The key is to avoid resetting the firewall's state table.
Why are you restarting PF? If you just want to reload the ruleset, use pfctl(8) instead.
|
|
#6
December 1st, 2009, 21:13
|
|||
|
|||
|
Thank you all for your expertise & replies. I've fixed the problem.
|
|
#7
December 1st, 2009, 22:30
|
||||
|
||||
|
How? Share solutions.
__________________
FreeBSD Forums: Information for New Members | FreeBSD Forums Rules FreeBSD Resources: The FreeBSD Handbook | Manuals | FAQ | Wiki Before you post: How to ask questions the smart way If you must know .. So, what does an Adminstrator/Moderator do? ---> Do not PM me with FreeBSD questions. I do not work here. <---
|
|
#8
December 2nd, 2009, 18:59
|
||||
|
||||
|
It could also be a difference between the "default rule" for IPFW and PF. I don't know about PF, but IPFW's default rule is "deny ip from any to any", which will kill all active network connections when you restart/reload IPFW rules.
However, one can change that via a kernel option (IPFW_DEFAULT_TO_ACCEPT), which sets the default rule to "allow ip from any to any" which will not kill active connections during a restart/reload.
|
|
#9
December 4th, 2009, 17:52
|
|||
|
|||
|
Sorry for not including the solution I discovered. I mostly just followed the instructions suggested by others in this thread. By using
Code:
/etc/rc.d/pf reload
|
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| screen: Keep Your Processes Running Despite A Dropped Connection | bsdvm | Howtos & FAQs | 32 | May 21st, 2011 13:54 |
| Force disconnect on unattended SSH/SFTP connections | kyan | Web & Network Services | 5 | March 17th, 2011 17:52 |
| SSHGuard not Blocking Connections | Lego | Web & Network Services | 49 | November 21st, 2009 19:26 |
| PF: Block outgoing connections | CodeBlock | Firewalls | 2 | November 1st, 2009 01:09 |
| mysql connections doubts? | klabacita | Web & Network Services | 0 | March 27th, 2009 03:06 |
Linear Mode
