List Info

Thread: SSH Session disconnecting with pf
SSH Session disconnecting with pf
user name
 2008-04-07 17:02:33 
Hi All

I'm running FreeBSD stable6.2  on all my servers and in the
past one year I
notices a random disconnection of persistent sessions to and
from servers
with  is running as PF the firewall

 

At first I was blaming internet connectivity issues for this
and try to sell
this as a as good as it gets

Of course at first I noticed it at SSH connections and later
on with ftp
NOOP connections and so on.

This dropping causes SSH to be reconnected and ftp to stall
indefinitely
until new login.

All people starting to get quiet spooky about it, especially
SSH users
because of interrupted sessions

And tunneling

I tried to find the reason for this 

 

Any help would be very appreciated

 

Regards

Torsten

 

All kernels are compiled with:

****************************************

#pf firewall start

device   pf

device   pflog

device   pfsync

options         ALTQ

options         ALTQ_CBQ        # Class Bases Queuing (CBQ)

options         ALTQ_RED        # Random Early Detection
(RED)

options         ALTQ_RIO        # RED In/Out

options         ALTQ_HFSC       # Hierarchical Packet
Scheduler (HFSC)

options         ALTQ_PRIQ       # Priority Queuing (PRIQ)

options         ALTQ_NOPCC      # Required for SMP build

# PF firewall end

 

options SMP

options QUOTA

****************************************

All other options are left alone

 

My pf.conf looks like this (sorry, changed ext IP address
because I don't
trust mysrlf of having done the right thing)

 

*****************************

###MACROS

        ext_if = "em0"

                int_if = "vr0"

        ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3, 0.0.0.4,
0.0.0.5}"

        loop_if="lo0"

        SYN_ONLY="S/FSRA"

        icmp_types = "echoreq"

        office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4, 1.0.0.4
, 1.0.0.5, 1.0.0.6,
1.0.0.7 }"

        public_services = "{ 13, 20, 21, 25, 37, 53,
80, 110, 443, 465, 993,
995, 8025}"

                 PassiveFTP = "{ 55000 >< 59000
}"

 

##TABLES

#private IP address spaces

        table <private_net> { 0.0.0.0/8, 10.0.0.0/8,
127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 }

 

# blacklist host

        table <blacklist> persist file
"/usr/local/etc/pf/pf.blacklist"

 

## GLOBAL OPTIONS

        set block-policy return

        set loginterface $ext_if

        set optimization normal

        set skip on lo0

 

## TRAFFIC NORMALIZATION

        scrub in all no-df

        scrub out all no-df

 

## FILTER RULES 

# in general block all connections and allow later below

        block in

 

# allow all on loop interface

        pass quick on $loop_if

 

# block all private ip addresses

        block in quick on $ext_if from { <private_net>
}

 

# allow any connection from the server to go out

        pass out keep state

 

#allow tcp/udp connections to the above ports from external

        pass in log on $ext_if inet proto tcp from any to
($ext_if) port
$public_services flags $SYN_ONLY keep state

        pass in log on $ext_if inet proto udp from any to
($ext_if) port
$public_services keep state

 

#allow ping request from anywhere but filter it

        pass in log inet proto icmp all icmp-type
$icmp_types keep state

 

#allow any connection from managemet IP's

        pass in log quick on $ext_if proto udp from
$office_ip to $ext_if
keep state

        pass in log quick on $ext_if proto tcp from
$office_ip to $ext_if
flags $SYN_ONLY keep state

 

# blacklist spam networks and so on

        block log quick from <blacklist> to any 

        block log quick from any to <blacklist>

 

#ftp proxy rubbish for passive ftp

        pass in log on $ext_if inet proto tcp from any to
any port
$PassiveFTP keep state

        pass in log on $ext_if inet proto udp from any to
any port
$PassiveFTP keep state

 

                pass quick on $int_if

 

****************************

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: SSH Session disconnecting with pf
country flaguser name
United States		 2008-04-07 18:07:50 
On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten  CNC-bond
wrote:
> I'm running FreeBSD stable6.2  on all my servers and in
the past one year I
> notices a random disconnection of persistent sessions
to and from servers
> with  is running as PF the firewall

The big problem with your rules looks to be how you're
determining SYN,
and how you're using keep state.

Below are some comments.

>         SYN_ONLY="S/FSRA"

This is very, very wrong, and probably the cause of your
issues.  This
should be S/SA.

> # allow all on loop interface
>
>         pass quick on $loop_if

You don't need this -- you're using "set skip on
lo0", which causes pf
to ignore that interface.  You can remove $loop_if as well.

> # block all private ip addresses
>
>         block in quick on $ext_if from {
<private_net> }

Use the "antispoof" directive for this, it'll work
better.  

> # allow any connection from the server to go out
>
>         pass out keep state

This is also incorrect.  It'll work fine for ICMP and UDP
packets, but
for TCP you'll be creating a new state table for every
packet regardless
of flags, which is liable to break things.  For TCP you want
to keep
state only on initiate connections being made, so you should
be using:

	pass out quick proto tcp all flags S/SA keep state
	pass out quick proto udp all keep state
	pass out quick proto icmp all keep state

You can, of course, replace "flags S/SA" with
$SYN_ONLY once you address
the issue above.

> #allow tcp/udp connections to the above ports from
external
> 
>         pass in log on $ext_if inet proto tcp from any
to ($ext_if) port $public_services flags $SYN_ONLY keep
state
>         pass in log on $ext_if inet proto udp from any
to ($ext_if) port $public_services keep state

You can remove the parenthesis in "($ext_if)".

> #allow ping request from anywhere but filter it
> 
>         pass in log inet proto icmp all icmp-type
$icmp_types keep state

The pf.conf comment here doesn't make any sense.  Also, be
aware ICMP is
actually quite important, so you don't want to block all
ICMP protocols
and just permit echoreq.  There are documents online which
discuss what
blocking all ICMP types can do.

> #ftp proxy rubbish for passive ftp
> 
>         pass in log on $ext_if inet proto tcp from any
to any port $PassiveFTP keep state
>         pass in log on $ext_if inet proto udp from any
to any port $PassiveFTP keep state

FTP is actually a TCP-based protocol, despite what you see
in
/etc/services for ports.

>                 pass quick on $int_if

Consider using "set skip on $int_if" instead, if
this is really what you
want.

-- 
| Jeremy Chadwick                                    jdc at
parodius.com |
| Parodius Networking                           http://www.parodius.com/
|
| UNIX Systems Administrator                      Mountain
View, CA, USA |
| Making life hard for others since 1977.                 
PGP: 4BD6C0CB |

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: SSH Session disconnecting with pf
user name
 2008-04-07 18:14:49 
On Mon, 2008-04-07 at 23:02 +0100, Torsten  CNC-bond
wrote:
> Hi All
> 
> I'm running FreeBSD stable6.2  on all my servers and in
the past one year I
> notices a random disconnection of persistent sessions
to and from servers
> with  is running as PF the firewall
> 
>  
> 
> At first I was blaming internet connectivity issues for
this and try to sell
> this as a as good as it gets
> 
> Of course at first I noticed it at SSH connections and
later on with ftp
> NOOP connections and so on.
> 
> This dropping causes SSH to be reconnected and ftp to
stall indefinitely
> until new login.
> 
> All people starting to get quiet spooky about it,
especially SSH users
> because of interrupted sessions
> 
> And tunneling
> 
> I tried to find the reason for this 
> 
>  
> 
> Any help would be very appreciated
> 
>  
> 
> Regards
> 
> Torsten
> 
>  
> 
> All kernels are compiled with:
> 
> ****************************************
> 
> #pf firewall start
> 
> device   pf
> 
> device   pflog
> 
> device   pfsync
> 
> options         ALTQ
> 
> options         ALTQ_CBQ        # Class Bases Queuing
(CBQ)
> 
> options         ALTQ_RED        # Random Early
Detection (RED)
> 
> options         ALTQ_RIO        # RED In/Out
> 
> options         ALTQ_HFSC       # Hierarchical Packet
Scheduler (HFSC)
> 
> options         ALTQ_PRIQ       # Priority Queuing
(PRIQ)
> 
> options         ALTQ_NOPCC      # Required for SMP
build
> 
> # PF firewall end
> 
>  
> 
> options SMP
> 
> options QUOTA
> 
> ****************************************
> 
> All other options are left alone
> 
>  
> 
> My pf.conf looks like this (sorry, changed ext IP
address because I don't
> trust mysrlf of having done the right thing)
> 
>  
> 
> *****************************
> 
> ###MACROS
> 
>         ext_if = "em0"
> 
>                 int_if = "vr0"
> 
>         ext_ip = "{0.0.0.1, 0.0.0.2, 0.0.0.3,
0.0.0.4, 0.0.0.5}"
> 
>         loop_if="lo0"
> 
>         SYN_ONLY="S/FSRA"
> 
>         icmp_types = "echoreq"
> 
>         office_ip="{ 1.0.0.1, 1.0.0.2, 1.0.0.4,
1.0.0.4 , 1.0.0.5, 1.0.0.6,
> 1.0.0.7 }"
> 
>         public_services = "{ 13, 20, 21, 25, 37,
53, 80, 110, 443, 465, 993,
> 995, 8025}"
> 
>                  PassiveFTP = "{ 55000 ><
59000 }"
> 
>  
> 
> ##TABLES
> 
> #private IP address spaces
> 
>         table <private_net> { 0.0.0.0/8,
10.0.0.0/8, 127.0.0.0/8,
> 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 }
> 
>  
> 
> # blacklist host
> 
>         table <blacklist> persist file
"/usr/local/etc/pf/pf.blacklist"
> 
>  
> 
> ## GLOBAL OPTIONS
> 
>         set block-policy return
> 
>         set loginterface $ext_if
> 
>         set optimization normal
> 
>         set skip on lo0
> 
>  
> 
> ## TRAFFIC NORMALIZATION
> 
>         scrub in all no-df
> 
>         scrub out all no-df
> 
>  
> 
> ## FILTER RULES 
> 
> # in general block all connections and allow later
below
> 
>         block in
> 
>  
> 
> # allow all on loop interface
> 
>         pass quick on $loop_if
> 
>  
> 
> # block all private ip addresses
> 
>         block in quick on $ext_if from {
<private_net> }
> 
>  
> 
> # allow any connection from the server to go out
> 
>         pass out keep state
> 

This is your problem right here. Try 

pass out quick proto tcp flags S/SA keep state
pass out quick proto udp keep state
pass out quick proto icmp keep state

You can keep your flags as S/SFRA as it is more restrictive
than S/SA,
but you should be examining flags for outbound TCP in order
to keep
state. I imagine you may be filling your state table with
the way this
rule is currently written


>  
> 
> #allow tcp/udp connections to the above ports from
external
> 
>         pass in log on $ext_if inet proto tcp from any
to ($ext_if) port
> $public_services flags $SYN_ONLY keep state
> 
>         pass in log on $ext_if inet proto udp from any
to ($ext_if) port
> $public_services keep state
> 
>  
> 
> #allow ping request from anywhere but filter it
> 
>         pass in log inet proto icmp all icmp-type
$icmp_types keep state
> 
>  
> 
> #allow any connection from managemet IP's
> 
>         pass in log quick on $ext_if proto udp from
$office_ip to $ext_if
> keep state
> 
>         pass in log quick on $ext_if proto tcp from
$office_ip to $ext_if
> flags $SYN_ONLY keep state
> 
>  
> 
> # blacklist spam networks and so on
> 
>         block log quick from <blacklist> to any 
> 
>         block log quick from any to <blacklist>
> 
>  
> 
> #ftp proxy rubbish for passive ftp
> 
>         pass in log on $ext_if inet proto tcp from any
to any port
> $PassiveFTP keep state
> 
>         pass in log on $ext_if inet proto udp from any
to any port
> $PassiveFTP keep state
> 
>  
> 
>                 pass quick on $int_if
> 
>  
> 
> ****************************
> 
> _______________________________________________
> freebsd-pffreebsd.org mailing list
> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: SSH Session disconnecting with pf
user name
 2008-04-07 18:17:29 
See Below

On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote:
> On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten  CNC-bond
wrote:
> > I'm running FreeBSD stable6.2  on all my servers
and in the past one year I
> > notices a random disconnection of persistent
sessions to and from servers
> > with  is running as PF the firewall
> 
> The big problem with your rules looks to be how you're
determining SYN,
> and how you're using keep state.
> 
> Below are some comments.
> 
> >         SYN_ONLY="S/FSRA"
> 
> This is very, very wrong, and probably the cause of
your issues.  This
> should be S/SA.

That is not very very wrong. 

Any TCP session starting up should only have the SYN flag
set out of SYN
FIN ACK RST. As a matter of fact this is in theory a more
secure setting
than S/SA (SYN out of SYN ACK). 

Cheers,
Elliott Perrin
elliottc7.ca

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: SSH Session disconnecting with pf
country flaguser name
United States		 2008-04-07 19:05:58 
On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin
wrote:
> On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick
wrote:
> > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten

CNC-bond wrote:
> > > I'm running FreeBSD stable6.2  on all my
servers and in the past one year I
> > > notices a random disconnection of persistent
sessions to and from servers
> > > with  is running as PF the firewall
> > 
> > The big problem with your rules looks to be how
you're determining SYN,
> > and how you're using keep state.
> > 
> > Below are some comments.
> > 
> > >         SYN_ONLY="S/FSRA"
> > 
> > This is very, very wrong, and probably the cause
of your issues.  This
> > should be S/SA.
> 
> That is not very very wrong. 
> 
> Any TCP session starting up should only have the SYN
flag set out of SYN
> FIN ACK RST. As a matter of fact this is in theory a
more secure setting
> than S/SA (SYN out of SYN ACK). 

You're correct, and it was I who was very wrong.    Thank you
for
correcting me.

-- 
| Jeremy Chadwick                                    jdc at
parodius.com |
| Parodius Networking                           http://www.parodius.com/
|
| UNIX Systems Administrator                      Mountain
View, CA, USA |
| Making life hard for others since 1977.                 
PGP: 4BD6C0CB |

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: SSH Session disconnecting with pf
user name
 2008-04-07 21:48:21 
On Mon, 2008-04-07 at 17:05 -0700, Jeremy Chadwick wrote:
> On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott
Perrin wrote:
> > On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick
wrote:
> > > On Mon, Apr 07, 2008 at 11:02:33PM +0100,
Torsten  CNC-bond wrote:
> > > > I'm running FreeBSD stable6.2  on all my
servers and in the past one year I
> > > > notices a random disconnection of
persistent sessions to and from servers
> > > > with  is running as PF the firewall
> > > 
> > > The big problem with your rules looks to be
how you're determining SYN,
> > > and how you're using keep state.
> > > 
> > > Below are some comments.
> > > 
> > > >         SYN_ONLY="S/FSRA"
> > > 
> > > This is very, very wrong, and probably the
cause of your issues.  This
> > > should be S/SA.
> > 
> > That is not very very wrong. 
> > 
> > Any TCP session starting up should only have the
SYN flag set out of SYN
> > FIN ACK RST. As a matter of fact this is in theory
a more secure setting
> > than S/SA (SYN out of SYN ACK). 
> 
> You're correct, and it was I who was very wrong.    Thank you
for
> correcting me.

No apology necessary... especially with all the help you
provide to
people on the list. 

Cheers,
~e

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: SSH Session disconnecting with pf
user name
 2008-04-08 08:52:14 
Torsten  CNC-bond
Hi All I'm running FreeBSD stable6.2 on all my servers and
in the past one
ye...


12:02 AM (15 hours ago)

Torsten  CNC-bondLoading...
12:02 AM (15 hours ago)

I also see you said you use FreeBSD 6.2, consider this:

http://lists.freebsd.org/pipermail/fre
ebsd-security/2008-April/004699.html

All the best
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-7]

about | contact  Other archives ( Real Estate discussion Medical topics )