Re: pf, ssh related question
Theoretically if you sent a syn packet from the same source port at
tne same time as you reloaded the rules you coyld get around it.
However the practicalities of this make it not worth the hassle,
especially if you dont control the firewall yiur traversing through
the client end. Best to live with it
On 10/17/09, Dánielisz László wrote:
> Hello,
>
> I have the following annoying thing: all the time I runpfctl -F all -f
> /etc/pf.conf I got disconnected from my remote machine.
> Do you have any idea how can I avoid this?
>
> Here is my pf.conf
>
>
> #MACROS
> ext_if="rl0"
> int_if="rl1"
> good_ip="{192.168.1.0/24}"
> icmp_types="echoreq"
>
> set skip on lo
>
> scrub in
>
> block in
> pass out keep state
>
> antispoof quick for { lo $int_if }
>
> #incoming ssh
> pass in log quick on $int_if inet proto tcp from $good_ip to ($int_if) port
> 22 flags S/SA keep state
>
> #incoming http
> pass in log quick on $int_if inet proto tcp from $good_ip to ($int_if) port
> 80 flags S/SA keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
>
--
Sent from my mobile device
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: pf, ssh related question
2009/10/17 Dánielisz László : > Hello, > > I have the following annoying thing: all the time I runpfctl -F all -f > /etc/pf.conf I got disconnected from my remote machine. > Do you have any idea how can I avoid this? If you are just trying to reload the changes made to pf.conf, use "/etc/rc.d/pf reload". That flushes everything except for the state table, leaving your connections intact. Another method is to set "flags any" for each rule, which should allow connections to recover after the states are flushed, but this would be a bad idea security-wise. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: pf, ssh related question
On 17 okt 2009, at 11:53, Dánielisz László wrote: Hello, I have the following annoying thing: all the time I runpfctl -F all - f /etc/pf.conf I got disconnected from my remote machine. Do you have any idea how can I avoid this? You cannot avoid when you flush all your current states. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
pf, ssh related question
Hello,
I have the following annoying thing: all the time I runpfctl -F all -f
/etc/pf.conf I got disconnected from my remote machine.
Do you have any idea how can I avoid this?
Here is my pf.conf
#MACROS
ext_if="rl0"
int_if="rl1"
good_ip="{192.168.1.0/24}"
icmp_types="echoreq"
set skip on lo
scrub in
block in
pass out keep state
antispoof quick for { lo $int_if }
#incoming ssh
pass in log quick on $int_if inet proto tcp from $good_ip to ($int_if) port 22
flags S/SA keep state
#incoming http
pass in log quick on $int_if inet proto tcp from $good_ip to ($int_if) port 80
flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
