PF drop my SSH after few seconds

B

blaize

Hello,
I'm new to PF, I have read many thread about the rules configurations. I tried many thing but I can't get PF working.
When I switch on PF with pfctl -ef /etc/pf.conf, that drop my SSH connection, ok, why not. But when I try to come back, sometime it's work, sometime not... I timed out the first time, believe was a wrong rules, then it work. When I'm back on SSH, few seconds after login, I have a connection abort, PF kick me. I just have the time to switch down PF before he kick me. I really don't understand why, should always fails or alway work !

here is my pf.conf
Code: 
#       $FreeBSD: release/9.0.0/share/examples/pf/pf.conf 218854 2011-02-19 14:57:00Z brucec $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

## Macros
EXT_NIC="em0"
INT_NIC="bridge0"

# Your Internet IP goes in the EXT_IP variable
EXT_IP="176.31.110.188"

# Your private network IP goes in the INT_IP variable
# if you have two NICs on the machine
INT_IP="192.168.0.1"

## TABLES


## GLOBAL OPTIONS
#set loginterface $EXT_NIC
set skip on lo0

## TRAFFIC NORMALIZATION
#scrub in on $EXT_NIC all fragment reassemble
#scrub out on $EXT_NIC all fragment reassemble random-id no-df
scrub in all

## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $EXT_NIC inet from any to any -> $EXT_NIC
nat on $EXT_NIC inet6 from any to any -> $EXT_NIC

## FILTER RULES

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all

# Default TCP policy
#block return-rst in log on $EXT_NIC proto TCP all
#  pass in log quick on $EXT_NIC proto tcp from any to $EXT_IP port 22 flags $SYN_ONLY keep state
#  pass in log quick on $EXT_NIC proto tcp from any to $EXT_IP port 113 flags $SYN_ONLY keep state
#  pass in log quick inet proto tcp from any to $EXT_IP port 113

pass in quick inet proto tcp from $EXT_NIC to any port 22 flags S/SA keep state
pass in quick inet proto tcp from $EXT_NIC to any port 113 flags S/SA keep state


# Default UDP policy
#block in log on $EXT_NIC proto udp all
   # It's rare to be hosting a service that requires UDP (unless you are hosting
   # a dns server for example), so there typically won't be any entries here.

# Default ICMP policy
#block in log on $EXT_NIC proto icmp all
#   pass in log quick on $EXT_NIC proto icmp from any to $EXT_IP icmp-type echoreq keep state
#   pass proto { icmp icmp6 }

pass in quick inet proto icmp from any to any icmp-type { echoreq, echorep, timex, unreach }

#Allow all out traffic
pass out quick inet proto tcp from any to any flags S/SA keep state
pass out quick inet proto { udp, icmp } from any to any keep state

I commented some other rules found before. Little more complex, but for now, I just want SSH work realiable !

Thank you in advance, really hope someone will understand what is wrong
 
What makes you think it's PF that's dropping the connection? There's nothing in your rules that would result in that behavior.
 
Thank for the quick answer. Yes, PF is dropping my connection. Ping not responding and SSH timeout. Sometime, 2 ping respond, then nothing until 2 other may work.
Same thing for SSH, can't connect until it's work for a short period of time, just the time to disable PF. I really don't understand, maybe it's not a pf's rules problem?
 
It sounds more like a bad internet connection to me.
 
I'm connecting from Internet. When I disable PF, everything work fine.
I rent a server from OVH.
It's possible they add something I need unblock ?
 
Change your ssh rule from this

Code: 
pass in quick inet proto tcp from $EXT_NIC to any port 22 flags S/SA keep state

to something like this

Code: 
pass in quick on $EXT_NIC inet proto tcp from any to $EXT_IP port 22 flags S/SA keep state


YOu should also change the nat rules from this

Code: 
nat on $EXT_NIC inet from any to any -> $EXT_NIC
nat on $EXT_NIC inet6 from any to any -> $EXT_NIC

to something like this

Code: 
nat on $EXT_NIC inet from ! $EXT_NIC to any -> $EXT_NIC
nat on $EXT_NIC inet6 from ! $EXT_NIC to any -> $EXT_NIC


And just like that, what is it the bridge for ? ANd are you sure you need the port 113 ?
 
In my kernel config, I have :
Code: 
# The `bpf' device enables the Berkeley Packet Filter.
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

AND

Code: 
device          pf
device          pflog

so I have /dev/bpf, /dev/bpf0 and /dev/pf
There is a chance of conflicting ?
 
The kernel config should not have any impact with your problem. You may also leave it as a module, pf module will be loaded at startup if needed.


Just one thing for for the nat rules I did not take care before, you have to ommit the inet and inet6 keywords. At the end, you will have

Code: 
nat on $EXT_NIC from ! $EXT_NIC to any -> $EXT_NIC

instead of

Code: 
nat on $EXT_NIC inet from ! $EXT_NIC to any -> $EXT_NIC
nat on $EXT_NIC inet6 from ! $EXT_NIC to any -> $EXT_NIC

It will not load the rules otherwise.
 
Just tried to change, all is blocked again.
Even ping is not responding. I don't understand why.
 
I put "pass all" instead of "block all" and nothing changed. I have no access at all.
Seem to be other thing :/
 
blaize said:
Thank for the quick answer. Yes, PF is dropping my connection. Ping not responding and SSH timeout. Sometime, 2 ping respond, then nothing until 2 other may work.
Same thing for SSH, can't connect until it's work for a short period of time, just the time to disable PF. I really don't understand, maybe it's not a pf's rules problem?
Click to expand...

Looks like a lack of states. Check the number of states current entries
Code: 
pfctl -s info

State Table                          Total             Rate
  current entries                   141905

And adjust your limit (pfctl -s memory to show, pf.conf "set limit" rule to adjust)

HTH, regards.
 
Can you try something as simple as this

Code: 
## Macros
EXT_NIC="em0"

# Your Internet IP goes in the EXT_IP variable
EXT_IP="176.31.110.188"

## TABLES


## GLOBAL OPTIONS
#set loginterface $EXT_NIC
set skip on lo0

## TRAFFIC NORMALIZATION
#scrub in on $EXT_NIC all fragment reassemble
#scrub out on $EXT_NIC all fragment reassemble random-id no-df
scrub in all

## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $EXT_NIC from ! $EXT_NIC to any -> $EXT_NIC

## FILTER RULES

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all

pass in quick on $EXT_NIC proto tcp from any to $EXT_IP port 22

Can you also post the output of ifconfig and your /etc/rc.conf
 
plamaiziere said:
Looks like a lack of states. Check the number of states current entries
Code: 
pfctl -s info

State Table                          Total             Rate
  current entries                   141905

And adjust your limit (pfctl -s memory to show, pf.conf "set limit" rule to adjust)

HTH, regards.
Click to expand...

Code: 
pfctl -s info
No ALTQ support in kernel
ALTQ related functions disabled
Status: Disabled                              Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

0 entrie.... don't sure that normal...

My limit :
Code: 
pfctl -s memory
No ALTQ support in kernel
ALTQ related functions disabled
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000
 
kisscool-fr said:
Can you try something as simple as this

Code: 
## Macros
EXT_NIC="em0"

# Your Internet IP goes in the EXT_IP variable
EXT_IP="176.31.110.188"

## TABLES


## GLOBAL OPTIONS
#set loginterface $EXT_NIC
set skip on lo0

## TRAFFIC NORMALIZATION
#scrub in on $EXT_NIC all fragment reassemble
#scrub out on $EXT_NIC all fragment reassemble random-id no-df
scrub in all

## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $EXT_NIC from ! $EXT_NIC to any -> $EXT_NIC

## FILTER RULES

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all

pass in quick on $EXT_NIC proto tcp from any to $EXT_IP port 22

Can you also post the output of ifconfig and your /etc/rc.conf
Click to expand...

Tried, don't work, I loose SSH connection and can't reconnect.

my ifconfig (without epair0a and epair0b)
Code: 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether e0:69:95:c3:22:f9
        inet 176.31.110.188 netmask 0xffffff00 broadcast 176.31.110.255
        inet6 fe80::e269:95ff:fec3:22f9%em0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pflog0: flags=0<> metric 0 mtu 33152
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:f1:4e:90:f9:00
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000

my rc.conf (without the jail specific configuration)
Code: 
sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="213.186.33.99"
fsck_y_enable="YES"
named_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

ifconfig_em0="inet 176.31.110.188 netmask 255.255.255.0 broadcast 176.31.110.255"
defaultrouter="176.31.110.254"
hostname="ks393815.kimsufi.com"

#packet filter
#pf_enable="YES"
#pflog_enable="YES"
#gateway_enable="YES"
#ipv6_gateway_enable="YES"

#jail network
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 192.168.0.1 netmask 255.255.255.0 up"

#Jails
jail_enable="YES"
jail_v2_enable="YES"
jail_list="left4dead"

jail_set_hostname_allow="NO"
jail_sysvipc_allow="NO"                   
jail_stop_jailer="NO"
inetd_flags="-wW -a 176.31.110.188"       
sendmail_enable="NO"
syslogd_flags="-s"
 
Just to throw this out there, but, perhaps the problem isn't PF/FreeBSD to begin with. You mentioned you were "Renting a server from OHV", perhaps the problem is with the host. Do you have connection limits? Do they have some type of system that disconnects idle connections? What kind of plan are you on? VPS/Dedicated/Shared? Review the fine print in your account's ToS to make sure none of the above conditions exist?
 
Yes PF is disabled. If I enable PF I loose SSH connection, so I can't give you the result while pf is working.
I rent a dedicated server with unlimited access. When pf is disabled I can stay no limit on SSH without disconnected.
 
blaize said:
Yes PF is disabled. If I enable PF I loose SSH connection, so I can't give you the result while pf is working.
I rent a dedicated server with unlimited access. When pf is disabled I can stay no limit on SSH without disconnected.
Click to expand...

Do you have a lot of connections on your server ?
It is safe to augment the states limit (I've 1 000 000 max states at work, with an average number entries at 250 000). 10000 max states (the default) is quite low on load.

also you can output pfctl -s info to a file each second with a small script.

Regards.
 
Actually I have nobody on the server. I just rent it 2 day ago.
I put the pfctl -s info in my script called by "at" to rollback the block

Code: 
#!/bin/sh
pfctl -s info > /home/xxx/pf_info
mv /etc/pf.conf /home/xxx/pf.conf
touch /etc/pf.conf
pfctl -d

The result is strange :
Code: 
 #cat pf_info
Status: Disabled                              Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
 
Are any of the other two firewalls (IPFW and IPFilter) perhaps enabled?

Also, try with the GENERIC kernel. When you enable pf(4) the module will be loaded. See if that works.
 
You should get errors with these:
IPFW:
# ipfw list
IPFilter:
# ipfstat
 
You must log in or register to reply here.
Back
Top