PF pf doesn't allow interactive ssh

[Harry Stone]

Yeah I know it doesn't make any sense to me either. Current pf.conf:

set skip on lo
block in all
pass in from 192.168.1.0/24 to any
pass in from 70.250.105.253 to any
pass out all

Everything works as it should, except when I ssh from the machine running this firewall (192.168.1.2) into another machine on the lan (192.168.1.9) I can't run a shell. I can run remote commands via ssh, for example:

$ ssh 192.168.1.9 ls

This runs exactly as you would expect. But,

$ ssh 192.168.1.9

shows me the banner and motd from the remote machine but nothing I type is echoed, and no command output if I try to run anything.

Everything works as expected with the firewall down. Ssh from the server out to a remote host on the internet works fine too, even with the firewall up. What would prevent traffic back from another host on my lan, and only when running a shell with ssh?

Thanks!

 

[Abriel]

Try

pass out all keep state

like is in https://www.freebsd.org/doc/handbook/firewalls-pf.html

 

[Harry Stone]

Yep, I tried that too but no difference.

 

[Abriel]

I don't use

pass out all keep state

but for ssh connection i use

TCP_PASS_OUT= "{22}"
EXT_IF = "em0"
block all
pass out on $EXT_IF proto tcp to any port $TCP_PASS_OUT keep state

 

[Harry Stone]

Thanks but no difference.

 

[Abriel]

Did you try remove

pass in from 192.168.1.0/24 to any

 

[Harry Stone]

Thanks, I did remove it with no effect so that rule wasn't needed. Still no go. I found if I took 'fortune' out of my shell startup on the remote machine I do get a working prompt. Everything then works like it should until I try to clear the screen or run a program that tries to redraw the terminal like vim. It's almost like the terminal type unexpectedly changes when the firewall goes up but that make no sense at all either. This is the weirdest thing I've seen in a long time.

 

[Harry Stone]

Okay I figured out what the problem is, the default deny policy blocks all lan traffic no matter what traffic I specify to pass. I think I might be using the wrong tool for the job.

 

[Harry Stone]

edit: nevermind that doesn't work either

 

[ShelLuser]

First the obvious: what do the logs on that remote machine (192.168.1.9) tell you? For starters auth.log?

Also: you shared the settings used on the firewall, but does that remote machine also use a firewall of some kind? If so: what rules does that have?

This probably isn't it, but does the account which you're trying to use actually have a valid shell assigned to it? And (/or) is that shell also included in /etc/shells?

Also: maybe any specific rules in /etc/ssh/sshd_config which could influence this?

 

[SirDice]

The firewall is a red herring, it's not related to the problem. The firewall cannot tell the difference between an interactive session or not, all it sees is a connection to port 22. So the issue must be with the receiving sshd(8) configuration.

 

[Harry Stone]

This is what finally worked, my problem was 'block in all' was blocking nfs, causing 192.168.1.9 to hang when the firewall was up:

set skip on lo
block in on em0 proto tcp from any to any port ssh
pass in proto tcp from 192.168.1.0/24 to any port ssh
pass in proto tcp from 127.0.0.1 to any port 2048
pass in proto tcp from 70.250.105.253 to any port ssh
pass out all

Port 2048 is port forwarded via ssh from my machine at work, so I can get into work machines from here at home.

ps - thanks for trying despite me being not much help at all!