Dropped SSH Connections

I have two machines with different network cards. On the first machine, when I restart anything to do with the networking, e.g. "/etc/rc.d/netif restart" or "/etc/rc.d/ipfw restart" it will maintain the ssh connection through the restart. This machine is running FreeBSD 7.2 with the following hardware:
Code:
$ pciconf -vl
...
bce0@pci0:9:0:0:	class=0x020000 card=0x01b31028 chip=0x164c14e4 rev=0x12 hdr=0x00
    vendor     = 'Broadcom Corporation'
    device     = 'Broadcom NetXtreme II Gigabit Ethernet Adapter (BCM5708)'
    class      = network
    subclass   = ethernet
...

On the second machine, however, the connection hangs and I have to close the terminal. It does not exit the connection, it simply waits until it times out. I'm running 8.0-RELEASE on this machine.

It is running this hardware:

Code:
$ pciconf -vl
...
em0@pci0:5:0:0:	class=0x020000 card=0x34768086 chip=0x10968086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Intel PRO/1000 EB (Intel PRO/1000 EB)'
    class      = network
    subclass   = ethernet
...

I've tried the same firewall settings on both machines which did not seem to make a difference.

Any clues as to why this happens? Generally, is this likely to be a difference in hardware capabilities, or is it a software configuration problem?

Thanks in advance.
 
I just double-checked. I'm now using IPFW on the 7.2 machine and PF on the 8.0 machine. Restarting netif on the 8.0 machine now maintains the connection, but restarting PF results in a dropped connection. Restarting both netif and IPFW on the 7.2 machine maintains the connection.

I'm beginning to suspect that it is actually a firewall problem. Maybe I'm missing an 'established' rule on the PF side of things. I'll change it up and report back.
 
That is correct behaviour. When you restart pf using the RC script it probably clears PF's state table. You should not be adding "established" rules to a stateful firewall as that entirely defeats the point of a stateful firewall. The key is to avoid resetting the firewall's state table.

Why are you restarting PF? If you just want to reload the ruleset, use pfctl(8) instead.
 
It could also be a difference between the "default rule" for IPFW and PF. I don't know about PF, but IPFW's default rule is "deny ip from any to any", which will kill all active network connections when you restart/reload IPFW rules.

However, one can change that via a kernel option (IPFW_DEFAULT_TO_ACCEPT), which sets the default rule to "allow ip from any to any" which will not kill active connections during a restart/reload.
 
Sorry for not including the solution I discovered. I mostly just followed the instructions suggested by others in this thread. By using

Code:
/etc/rc.d/pf reload

instead of restart it does not break the network connection. As for why it doesn't happen on IPFW, I'm still not sure why.
 
Back
Top