Hi,
I have configured pf on 8.3-STABLE and my /etc/pf.conf is as follows -
With pf enabled I can't ssh into my box from lan.
With pf disabled -
I have tried several things but nothing has worked. Some more details about port -
Please forgive me for long quotes but I am using PF for first time.
I have configured pf on 8.3-STABLE and my /etc/pf.conf is as follows -
Code:
# $FreeBSD: /etc/pf.conf,v 1.1.12.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
#
# Macros:
ext_if="re0"
int_if="lo0"
ext_ad = $ext_if "/32"
localnet = $int_if:network
tcp_services="{ 80, 45454, 443, 43, 25 }"
# Tables:
table <spamd-white> persist
table <ssh-bruteforce> persist
table <block-list> persist file "/etc/block-list"
table <badhosts> persist
table <sshguard> persist
table <local> { 10.0.0.1/24 }
# Options:
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface re0
set optimization aggressive
set block-policy return
set require-order yes
set debug loud
# set fingerprints "/etc/pf.os"
set skip on lo0
# Normalization:
scrub in no-df random-id
scrub in on $ext_if all fragment reassemble
# Queueing:
# altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
# queue dflt bandwidth 5% cbq(default)
# queue developers bandwidth 80%
# queue marketing bandwidth 15%
# Translation:
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from $localnet to any -> ($ext_if)
no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
# Filtering:
# pass in all
pass out all
antispoof quick for $int_if
antispoof log quick for $int_if label "Spoofed"
antispoof quick for $ext_if
# block all incoming packets but allow ssh, pass all outgoing tcp and udp connections and keep state, logging blocked packets.
block in log all
block in quick from <block-list> to any
block in quick on $ext_if from <sshguard> label "ssh bruteforce"
block drop in quick on $ext_if from <ssh-bruteforce>
block on $ext_if from <badhosts> to any
block in from no-route to any
block in from urpf-failed to any
### block probes that can possibly determine our operating system by disallowing certain combinations that are used by nmap, queso and xprobe2, who are
### attempting to fingerprint the server.
### * F : FIN ? Finish; end of session
### * S : SYN ? Synchronize; indicates request to start session
### * R : RST ? Reset; drop a connection
### * P : PUSH ? Push; packet is sent immediately
### * A : ACK ? Acknowledgement
### * U : URG ? Urgent
### * E : ECE ? Explicit Congestion Notification Echo
### * W : CWR ? Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
pass in quick from <local> to any keep state
pass out on $ext_if proto { tcp, udp } all keep state
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on { lo0, $localnet } to any keep state
pass out on { lo0, $localnet } to any keep state
pass in on $ext_if proto tcp from any to $ext_if port 45454 flags S/SA keep state (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 8443 keep stateWith pf enabled I can't ssh into my box from lan.
Code:
$ ssh -vv apogee@10.0.0.5 -p 45454
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.0.5 [10.0.0.5] port 45454.
debug1: connect to address 10.0.0.5 port 45454: Connection refused
ssh: connect to host 10.0.0.5 port 45454: Connection refusedWith pf disabled -
Code:
$ ssh -vv -p 45454 apogee@10.0.0.5
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug2: ssh_connect: needpriv 0
.
.
.
debug2: shell request accepted on channel 0
Last login: Wed Jan 9 00:37:50 2013
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 8.3-STABLE (INFERNO) #0: Sat Jun 23 05:02:43 PDT 2012
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.
To see how long it takes a command to run, type the word "time" before the
command name.
-- Dru <genesis@istar.ca>
>I have tried several things but nothing has worked. Some more details about port -
Code:
#lsof -i | grep sshd
sshd 60699 root 3u IPv6 0xffffff0249f47760 0t0 TCP *:45454 (LISTEN)
sshd 60699 root 4u IPv4 0xffffff0249f473b0 0t0 TCP *:45454 (LISTEN)
Code:
# pfctl -s info
Status: Enabled for 0 days 00:15:47 Debug: Loud
Interface Stats for re0 IPv4 IPv6
Bytes In 1482920 962833
Bytes Out 284648 688
Packets In
Passed 1826 0
Blocked 1751 4175
Packets Out
Passed 2633 10
Blocked 2 0
State Table Total Rate
current entries 4
searches 10717 11.3/s
inserts 928 1.0/s
removals 924 1.0/s
Counters
match 7068 7.5/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 4 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/sPlease forgive me for long quotes but I am using PF for first time.
