PF I can't connect to the server with SSH after enabling PF

H

hack3rcon

Hello,
The /etc/pf.conf file looks like this:

Code: 
set block-policy return
set fingerprints "/etc/pf.os"
set skip on lo0

# Allow all outgoing traffic
pass out all

# Allow incoming SSH (optional)
pass in proto tcp to port 22

# Block everything else by default
block in all

The following command doesn't show me any errors either:

Code: 
$ sudo pfctl -f /etc/pf.conf

Finally, I did:

Code: 
$ sudo service pf start

But my SSH connection was lost. Why?

Thank you.
 
when you start the service, there is no entry for your SSH connection in the pf state table. enabling the firewall thus makes the connection time out. also, pf is last-match-wins, so you end up blocking everything with the block in all at the end. If you move the block line earlier, enabling the firewall will still cause a timeout, but you should be able to get back in afterwards.
 
atax1a said:
when you start the service, there is no entry for your SSH connection in the pf state table. enabling the firewall thus makes the connection time out. also, pf is last-match-wins, so you end up blocking everything with the block in all at the end. If you move the block line earlier, enabling the firewall will still cause a timeout, but you should be able to get back in afterwards.
Click to expand...
Hello,
Thank you so much for your reply.
As I said, I can't SSH into my server and my connection is lost.
 
Eric A. Borisch said:
You can use the ‘quick’ modifier (see the man page) to make a rule “win” over later rules, if you like that organization of rules.

But general, PF likes rules ordered from generic (block in all) to specific (pass in proto tcp to port 22).
Click to expand...

Hello,
As far as I know, my order of rules is correct!
 
hack3rcon said:
As far as I know, my order of rules is correct!
Click to expand...
You misunderstand the comments here, then.

By default — if no quick rules are used — the last match wins. Many systems are designed where the opposite is true, “first match wins”, or “flowchart” behavior, so it feels a little odd, but it is what it is at this point.

You have no quick rules, and your last incoming rule is block all, so all incoming traffic matches that last rule and is blocked. Either use quick on all your rules to get first-match-wins behavior, or flip them so the general case (block in all) is first, followed by the specific case (pass in ssh traffic.)
 
Hello,

Code: 
$ # sudo pfctl -sr
pass out all flags S/SA keep state
pass in proto tcp from any to any port = ssh flags S/SA keep state
block return in all

I did:

Code: 
set block-policy return
set skip on lo0
pass out all
pass in on em0 proto tcp to port 22
block in all

Problem solved.
 
Code: 
set block-policy return
Don't do this. This will send out ICMP port unreachable packets in response to closed UDP ports. Just drop the traffic (default).

Code: 
           return    A TCP RST is returned for blocked TCP packets, an SCTP
                     ABORT chunk is returned for blocked SCTP packets, an ICMP
                     UNREACHABLE is returned for blocked UDP packets, and all
                     other packets are silently dropped.
pf.conf(5)

Code: 
pass out all
pass in on em0 proto tcp to port 22
block in all
Change the order:
Code: 
block  in all
pass out all
pass in on em0 proto tcp to port 22
Now the pass rule will be the last matching.

Or use the quick keyword to "short-circuit" the rule processing.
Code: 
pass out all
pass in quick on em0 proto tcp to port 22
block in all
 
You must log in or register to reply here.
Back
Top