Hello,
I'm new to PF, I have read many thread about the rules configurations. I tried many thing but I can't get PF working.
When I switch on PF with pfctl -ef /etc/pf.conf, that drop my SSH connection, ok, why not. But when I try to come back, sometime it's work, sometime not... I timed out the first time, believe was a wrong rules, then it work. When I'm back on SSH, few seconds after login, I have a connection abort, PF kick me. I just have the time to switch down PF before he kick me. I really don't understand why, should always fails or alway work !
here is my pf.conf
I commented some other rules found before. Little more complex, but for now, I just want SSH work realiable !
Thank you in advance, really hope someone will understand what is wrong
I'm new to PF, I have read many thread about the rules configurations. I tried many thing but I can't get PF working.
When I switch on PF with pfctl -ef /etc/pf.conf, that drop my SSH connection, ok, why not. But when I try to come back, sometime it's work, sometime not... I timed out the first time, believe was a wrong rules, then it work. When I'm back on SSH, few seconds after login, I have a connection abort, PF kick me. I just have the time to switch down PF before he kick me. I really don't understand why, should always fails or alway work !
here is my pf.conf
Code:
# $FreeBSD: release/9.0.0/share/examples/pf/pf.conf 218854 2011-02-19 14:57:00Z brucec $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
## Macros
EXT_NIC="em0"
INT_NIC="bridge0"
# Your Internet IP goes in the EXT_IP variable
EXT_IP="176.31.110.188"
# Your private network IP goes in the INT_IP variable
# if you have two NICs on the machine
INT_IP="192.168.0.1"
## TABLES
## GLOBAL OPTIONS
#set loginterface $EXT_NIC
set skip on lo0
## TRAFFIC NORMALIZATION
#scrub in on $EXT_NIC all fragment reassemble
#scrub out on $EXT_NIC all fragment reassemble random-id no-df
scrub in all
## QUEUEING RULES
## TRANSLATION RULES (NAT)
nat on $EXT_NIC inet from any to any -> $EXT_NIC
nat on $EXT_NIC inet6 from any to any -> $EXT_NIC
## FILTER RULES
# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all
# Default TCP policy
#block return-rst in log on $EXT_NIC proto TCP all
# pass in log quick on $EXT_NIC proto tcp from any to $EXT_IP port 22 flags $SYN_ONLY keep state
# pass in log quick on $EXT_NIC proto tcp from any to $EXT_IP port 113 flags $SYN_ONLY keep state
# pass in log quick inet proto tcp from any to $EXT_IP port 113
pass in quick inet proto tcp from $EXT_NIC to any port 22 flags S/SA keep state
pass in quick inet proto tcp from $EXT_NIC to any port 113 flags S/SA keep state
# Default UDP policy
#block in log on $EXT_NIC proto udp all
# It's rare to be hosting a service that requires UDP (unless you are hosting
# a dns server for example), so there typically won't be any entries here.
# Default ICMP policy
#block in log on $EXT_NIC proto icmp all
# pass in log quick on $EXT_NIC proto icmp from any to $EXT_IP icmp-type echoreq keep state
# pass proto { icmp icmp6 }
pass in quick inet proto icmp from any to any icmp-type { echoreq, echorep, timex, unreach }
#Allow all out traffic
pass out quick inet proto tcp from any to any flags S/SA keep state
pass out quick inet proto { udp, icmp } from any to any keep state
I commented some other rules found before. Little more complex, but for now, I just want SSH work realiable !
Thank you in advance, really hope someone will understand what is wrong