Re: SSH: lost connection after restarting pf. [SOLVED]

[Walter Alejandro Iglesias]

On Fri, Aug 18, 2017 at 07:31:05PM +0200, Otto Moerbeek wrote:
> On Sat, Aug 12, 2017 at 02:40:41PM +0200, Walter Alejandro Iglesias wrote:
> 
> > In article <20170812123632.p7zgt2l4kz43y...@symphytum.spacehopper.org> you 
> > wrote:
> > > On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> > > > In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > > > > Hi Stuart,
> > > > > 
> > > > > In article  you wrote:
> > > > > > On 2017-08-12, Walter Alejandro Iglesias  wrote:
> > > > > > > Yesterday while copying a big file from one machine to another in 
> > > > > > > my LAN
> > > > > > > I noticed that restarting pf:
> > > > > > >
> > > > > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > > > > >
> > > > > > > scp stops and quits showing this message:
> > > > > > >
> > > > > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > > > > >
> > > > > > >
> > > > > > > Is this expected or is a bug?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > 
> > > > > > Expected.
> > > > > > 
> > > > > > PF is a state-inspecting firewall and verifies things like TCP 
> > > > > > sequence
> > > > > > numbers; it needs to see the initial connection handshake to pick 
> > > > > > up the
> > > > > > wscale value.
> > > > > > 
> > > > > > I would recommend just reloading the ruleset rather than disabling 
> > > > > > and
> > > > > > re-enabling PF first.
> > > > > > 
> > > > > > 
> > > > > 
> > > > > I have this rule:
> > > > > 
> > > > > block in log quick inet proto tcp from  to port ssh
> > > > > 
> > > > > That reads IPs from a the "port22" file which is updated from a script
> > > > > in a cronjob.  I ignore which command to use to re-read that file
> > > > > without causing the interrupt.
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > You mean doing only this?
> > > > 
> > > > # pfctl -f /etc/pf.conf
> > > 
> > > Yes.
> > > 
> > > 
> > 
> > I just tried it and works OK.  Thank you very much.
> > 
> 
> A bit reply late due to vacation...
> 
> I would like to stress that disable and then a reload is a
> dangerous practise. Apart from the fact that it looses state it also
> will leave pf disabled if you made a syntax error in your ruleset.

Yes, I was worried about that.

> 
> Please just do a reload: it is much more safer: it will first
> validate the new ruleset and then *atomically* replace the old with
> the new ruleset, leaving intact any relevant state information.

I don't remember exactly what made me think that in the specific case of
tables reading IP lists from files a reload wasn't enough.  Something
wrong I did while testing lead me to wrong conclusions. :-)


Thank you!


> 
>   -Otto


Walter

Re: SSH: lost connection after restarting pf. [SOLVED]

[Otto Moerbeek]

On Sat, Aug 12, 2017 at 02:40:41PM +0200, Walter Alejandro Iglesias wrote:

> In article <20170812123632.p7zgt2l4kz43y...@symphytum.spacehopper.org> you 
> wrote:
> > On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> > > In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > > > Hi Stuart,
> > > > 
> > > > In article  you wrote:
> > > > > On 2017-08-12, Walter Alejandro Iglesias  wrote:
> > > > > > Yesterday while copying a big file from one machine to another in 
> > > > > > my LAN
> > > > > > I noticed that restarting pf:
> > > > > >
> > > > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > > > >
> > > > > > scp stops and quits showing this message:
> > > > > >
> > > > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > > > >
> > > > > >
> > > > > > Is this expected or is a bug?
> > > > > >
> > > > > >
> > > > > >
> > > > > 
> > > > > Expected.
> > > > > 
> > > > > PF is a state-inspecting firewall and verifies things like TCP 
> > > > > sequence
> > > > > numbers; it needs to see the initial connection handshake to pick up 
> > > > > the
> > > > > wscale value.
> > > > > 
> > > > > I would recommend just reloading the ruleset rather than disabling and
> > > > > re-enabling PF first.
> > > > > 
> > > > > 
> > > > 
> > > > I have this rule:
> > > > 
> > > > block in log quick inet proto tcp from  to port ssh
> > > > 
> > > > That reads IPs from a the "port22" file which is updated from a script
> > > > in a cronjob.  I ignore which command to use to re-read that file
> > > > without causing the interrupt.
> > > > 
> > > > 
> > > > 
> > > 
> > > You mean doing only this?
> > > 
> > > # pfctl -f /etc/pf.conf
> > 
> > Yes.
> > 
> > 
> 
> I just tried it and works OK.  Thank you very much.
> 

A bit reply late due to vacation...

I would like to stress that disable and then a reload is a
dangerous practise. Apart from the fact that it looses state it also
will leave pf disabled if you made a syntax error in your ruleset.

Please just do a reload: it is much more safer: it will first
validate the new ruleset and then *atomically* replace the old with
the new ruleset, leaving intact any relevant state information.

-Otto

Re: SSH: lost connection after restarting pf. [SOLVED]

[Walter Alejandro Iglesias]

In article <20170812123632.p7zgt2l4kz43y...@symphytum.spacehopper.org> you 
wrote:
> On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> > In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > > Hi Stuart,
> > > 
> > > In article  you wrote:
> > > > On 2017-08-12, Walter Alejandro Iglesias  wrote:
> > > > > Yesterday while copying a big file from one machine to another in my 
> > > > > LAN
> > > > > I noticed that restarting pf:
> > > > >
> > > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > > >
> > > > > scp stops and quits showing this message:
> > > > >
> > > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > > >
> > > > >
> > > > > Is this expected or is a bug?
> > > > >
> > > > >
> > > > >
> > > > 
> > > > Expected.
> > > > 
> > > > PF is a state-inspecting firewall and verifies things like TCP sequence
> > > > numbers; it needs to see the initial connection handshake to pick up the
> > > > wscale value.
> > > > 
> > > > I would recommend just reloading the ruleset rather than disabling and
> > > > re-enabling PF first.
> > > > 
> > > > 
> > > 
> > > I have this rule:
> > > 
> > > block in log quick inet proto tcp from  to port ssh
> > > 
> > > That reads IPs from a the "port22" file which is updated from a script
> > > in a cronjob.  I ignore which command to use to re-read that file
> > > without causing the interrupt.
> > > 
> > > 
> > > 
> > 
> > You mean doing only this?
> > 
> > # pfctl -f /etc/pf.conf
> 
> Yes.
> 
> 

I just tried it and works OK.  Thank you very much.

Re: SSH: lost connection after restarting pf.

[Stuart Henderson]

On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > Hi Stuart,
> > 
> > In article  you wrote:
> > > On 2017-08-12, Walter Alejandro Iglesias  wrote:
> > > > Yesterday while copying a big file from one machine to another in my LAN
> > > > I noticed that restarting pf:
> > > >
> > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > >
> > > > scp stops and quits showing this message:
> > > >
> > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > >
> > > >
> > > > Is this expected or is a bug?
> > > >
> > > >
> > > >
> > > 
> > > Expected.
> > > 
> > > PF is a state-inspecting firewall and verifies things like TCP sequence
> > > numbers; it needs to see the initial connection handshake to pick up the
> > > wscale value.
> > > 
> > > I would recommend just reloading the ruleset rather than disabling and
> > > re-enabling PF first.
> > > 
> > > 
> > 
> > I have this rule:
> > 
> > block in log quick inet proto tcp from  to port ssh
> > 
> > That reads IPs from a the "port22" file which is updated from a script
> > in a cronjob.  I ignore which command to use to re-read that file
> > without causing the interrupt.
> > 
> > 
> > 
> 
> You mean doing only this?
> 
> # pfctl -f /etc/pf.conf

Yes.

Re: SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> Hi Stuart,
> 
> In article  you wrote:
> > On 2017-08-12, Walter Alejandro Iglesias  wrote:
> > > Yesterday while copying a big file from one machine to another in my LAN
> > > I noticed that restarting pf:
> > >
> > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > >
> > > scp stops and quits showing this message:
> > >
> > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > >
> > >
> > > Is this expected or is a bug?
> > >
> > >
> > >
> > 
> > Expected.
> > 
> > PF is a state-inspecting firewall and verifies things like TCP sequence
> > numbers; it needs to see the initial connection handshake to pick up the
> > wscale value.
> > 
> > I would recommend just reloading the ruleset rather than disabling and
> > re-enabling PF first.
> > 
> > 
> 
> I have this rule:
> 
> block in log quick inet proto tcp from  to port ssh
> 
> That reads IPs from a the "port22" file which is updated from a script
> in a cronjob.  I ignore which command to use to re-read that file
> without causing the interrupt.
> 
> 
> 

You mean doing only this?

# pfctl -f /etc/pf.conf

Re: SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

Hi Stuart,

In article  you wrote:
> On 2017-08-12, Walter Alejandro Iglesias  wrote:
> > Yesterday while copying a big file from one machine to another in my LAN
> > I noticed that restarting pf:
> >
> >   # pfctl -d && pfctl -e -f /etc/pf.conf
> >
> > scp stops and quits showing this message:
> >
> >   - stalled - Conection reset by 192.168.1.*  Lost connection
> >
> >
> > Is this expected or is a bug?
> >
> >
> >
> 
> Expected.
> 
> PF is a state-inspecting firewall and verifies things like TCP sequence
> numbers; it needs to see the initial connection handshake to pick up the
> wscale value.
> 
> I would recommend just reloading the ruleset rather than disabling and
> re-enabling PF first.
> 
> 

I have this rule:

block in log quick inet proto tcp from  to port ssh

That reads IPs from a the "port22" file which is updated from a script
in a cronjob.  I ignore which command to use to re-read that file
without causing the interrupt.

Re: SSH: lost connection after restarting pf.

[Stuart Henderson]

On 2017-08-12, Walter Alejandro Iglesias  wrote:
> Yesterday while copying a big file from one machine to another in my LAN
> I noticed that restarting pf:
>
>   # pfctl -d && pfctl -e -f /etc/pf.conf
>
> scp stops and quits showing this message:
>
>   - stalled - Conection reset by 192.168.1.*  Lost connection
>
>
> Is this expected or is a bug?
>
>
>

Expected.

PF is a state-inspecting firewall and verifies things like TCP sequence
numbers; it needs to see the initial connection handshake to pick up the
wscale value.

I would recommend just reloading the ruleset rather than disabling and
re-enabling PF first.

Re: SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

On Sat, Aug 12, 2017 at 11:08:23AM +0200, Walter Alejandro Iglesias wrote:
> Yesterday while copying a big file from one machine to another in my LAN
> I noticed that restarting pf:
> 
>   # pfctl -d && pfctl -e -f /etc/pf.conf

I assume it's not necessary to say I'm doing this without changing any
rule on pf.conf. :-)


> 
> scp stops and quits showing this message:
> 
>   - stalled - Conection reset by 192.168.1.*  Lost connection
> 
> 
> Is this expected or is a bug?
> 
> 

SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

Yesterday while copying a big file from one machine to another in my LAN
I noticed that restarting pf:

  # pfctl -d && pfctl -e -f /etc/pf.conf

scp stops and quits showing this message:

  - stalled - Conection reset by 192.168.1.*  Lost connection


Is this expected or is a bug?