simple question, just learning

Hi,

I am learning FreeBSD and pf, and I have installed a machine with FreeBSD 7.0 and enabled pf.
I wanted to set it up as a deny by default and manually add the services I require.
So initally I have put the lines

block in all
pass out all keep state

Now I want to add an admin interface that will accept ssh, I have tried to add quite a number of commands to the pf.conf file and none of them allow me to logon via ssh, it prompts for the user name and I enter a valid user and instead of then prompting for the password it just hangs.
I do seem to be getting an error in the error log when this happens which is

sshd[1236]: error: ssh_msg_send: write

If I change the block in all statement to a pass in all statement then I can logon no problem, so it seems that pf is responsible for this.
Even if I use a rule like
pass in on bge0 all no state
pass out all bge0 all no state

where bge0 is the interface I want to use for the admin network, I still end up with the prompt in putty hanging after I enter the user name.

Has anyone ever seen such a problem before?
 
Hi

thanks for your reply, I am using it in a test environment without dns, I'm not using host names to initiate the session but am using IP address so I'm not sure if that would be the problem.
 
Add a line like this

Code:
pass in quick on bge0 proto tcp from any to any port 22 keep state
 
Hi,

My pf.conf file is very simple at the moment all it has is three lines.

block in all
pass out all keep state
pass in on bge0 all no state
pass out all bge0 all no state


I tried various variations on this and besides changing the block to a pass in the first line, none of the others will allow a ssh logon, basically I get the username prompt and then it hangs without providing the password prompt.
 
Hi R-C-E

I have disabled DNS as you suggested and it has worked, thanks a lot for your help.

I must admit I am a bit confused as to why this is the solution, as it only seemed to cause a problem when I used pf to restrict traffic. When I allowed all traffic to pass over that interface, I could login even without the DNS disabled.

BTW although it does now allow me to login it does still seem to hang for around 10 seconds after entering the password which is a little long for a gigabit lan network. Is there any other ssh parameters you can think of that I can tune to fix this. Thanks again for your help.
 
Back
Top