PF pf and ssh (FreeBSD 12.0)

[dianthus]

Hi,

I am translating a pf script from OpenBSD to FreeBSD, my system is
FreeBSD xxxx 12.0-RELEASE-p6 FreeBSD 12.0-RELEASE-p6 GENERIC amd64

I encountered an issue which I do not understand, in any case please excuse me for this newbie's question. What I "discovered" is that the following rule works

pass in quick log on $ext proto tcp from <auth> to $host port=22 keep state

while that one which was originally in my OpenBSD system

pass in quick log on $ext proto tcp from <auth> to $host port=22 modulate state

where $host is Y.Y.Y.Y, does not. When trying to ssh Y.Y.Y.Y, in the logs I see

00:00:00.129859 rule 10/0(match): pass in on igb0: X.X.X.X.35302 > Y.Y.Y.Y.22: Flags , seq 1109514304, win 29200, options [mss 1452,sackOK,TS val 564387639 ecr 0,nop,wscale 7], length 0

but finally it ends with "Connection timed out".

When the rule has the "keep state", the connection works fine, and the log entry is, probably as expected the same

00:00:01.285639 rule 10/0(match): pass in on igb0: X.X.X.X.35326 > Y.Y.Y.Y.22: Flags , seq 2599461406, win 29200, options [mss 1452,sackOK,TS val 564737097 ecr 0,nop,wscale 7], length 0

May you provide a hint, what is wrong with my setup?

Many thanks,

Dianthus

 

[dianthus]

An update: it's a weird problem, since I found a linux system, which makes it possible to login into the protected server with the "modulate state" flag.

Actually, I tested the following combinations in different networks and two internal servers

a host in networkA -> serverA ("keep state" works AND "modulate state" works)
a host in networkA -> serverB ("keep state" works, "modulate state" does not work)
a host in networkB -> serverA ("keep state" works, "modulate state" does not work)
a host in networkB -> serverB ("keep state" works, "modulate state" does not work)

I upgraded the FreeBSD system to the most recent set of updates, now it shows up as FreeBSD 12.0-RELEASE-p7 GENERIC amd64.

All machines are Linux hosts with up to date ssh.

 

[roper]

what is wrong with my setup?

There may be nothing wrong. From pf():
Note that modulated connections will not recover when the state table is
lost (firewall reboot, flushing the state table, etc...). pf(4) will not
be able to infer a connection again after the state table flushes the
connection's modulator. When the state is lost, the connection may be
left dangling until the respective endpoints time out the connection.

 

[dianthus]

Thank you, but I still do not understand why new connections cannot be initiated with the "modulate state" flag. It is not always about recovering from a prior connection. My problem is that completely fresh ssh connections, initiated also after flushing pf states or starting the filter after reboot, do not work.

I have never experienced this with any version of OpenBSD, and I have no clue, besides I should perhaps try this on the earlier version of FreeBSD (11.X). If it is a bug, it maybe is related to a non-standard hardware, which is Jetway NF592-Q170 motherboard with 8 Ethernet slots.