On Tue, Sep 02, 2008 at 02:15:14PM -0700, Gavin Spomer wrote:
> I've recently had to leave my firewall off on my test server because when I'm
> ssh-ed in and enable pf, I get "locked out". :( It was working fine before
> and the only change that's happened recently is our university has a new ip
> range, but I've changed that in my config. I also have a production FreeBSD
> server of which I can ssh to (thankfully) with pf enabled and it's pf.conf is
> virtually the same.
>
> My pf config relevant to this is:
>
> #### LISTS/MACROS:
> ext_if = "bce0"
>
> #### TABLES:
> table <campusaccess> const { campus ip range omitted }
>
> #### OPTIONS:
> set skip on lo0
>
> #### NORMALIZATION:
> scrub in all
>
> #### FILTERING:
> # default deny everything in and log
> block in log on $ext_if all
> block out log on $ext_if all
>
> # activate spoofing
> antispoof log quick for $ext_if inet
>
> # ssh for <campusaccess>
> pass in on $ext_if proto tcp from <campusaccess> to $ext_if port 22 flags
> S/SA keep state
>
> (other rules for other services/ports that are working go here)
>
> # let stuff out
> pass out on $ext_if proto { tcp, udp } from any to any keep state
>
> /var/log/messages shows entries like:
>
> Sep 2 10:02:27 myserver sshd[21000]: fatal: Write failed: Operation not
> permitted
>
> tcpdump -n -e -ttt -r /var/log/pflog shows entries like:
>
> 32. 022410 rule 0/0(match): block in on bce0: mymacip.50186 >
> myserverip.22: P 1:97(96) ack 0 win 65535 <nop,nop,timestamp 32900581
> 4199243883>
>
> and:
>
> 2143. 098222 rule 1/0(match): block out on bce0: myserverip.22 >
> mymacip.50542: P 3200122721 :3200122817(96) ack 2819997173 win 8326
> <nop,nop,timestamp 3729475032 32922638>
>
> My Mac is within the <campusaccess> defined in my tables section. Only ssh is
> being blocked. Other things like port 80 for apache, port 3306 for MySQL,
> port 8080 for Plone, etc. are all fine.
>
> I have searched the freebsd-pf list archives, but it only allows me one page
> of search results for some reason. I have also Googled a bit and have finally
> posted here. Very confused.
The version of FreeBSD you're using is important here. What version?
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"