# simple question, just learning



## pk7 (Dec 29, 2008)

Hi,

I am learning FreeBSD and pf, and I have installed a machine with FreeBSD 7.0 and enabled pf.
I wanted to set it up as a deny by default and manually add the services I require.
So initally I have put the lines 

block in all
pass out all keep state

Now I want to add an admin interface that will accept ssh, I have tried to add quite a number of commands to the pf.conf file and none of them allow me to logon via ssh, it prompts for the user name and I enter a valid user and instead of then prompting for the password it just hangs.
I do seem to be getting an error in the error log when this happens which is 

sshd[1236]: error: ssh_msg_send: write

If I change the block in all statement to a pass in all statement then I can logon no problem, so it seems that pf is responsible for this.
Even if I use a rule like 
pass in on bge0 all no state
pass out all bge0 all no state

where bge0 is the interface I want to use for the admin network, I still end up with the prompt in putty hanging after I enter the  user name.

Has anyone ever seen such a problem before?


----------



## r-c-e (Dec 29, 2008)

Are you able to resolve DNS on the machine? This may be causing hangs in ssh.


----------



## pk7 (Dec 29, 2008)

Hi

thanks for your reply, I am using it in a test environment without dns, I'm not using host names to initiate the session but am using IP address so I'm not sure if that would be the problem.


----------



## danger@ (Dec 29, 2008)

You should post the complete contents of your /etc/pf.conf in order to allow us to debug it.

BTW a great documentation of pf is located at http://www.openbsd.org/faq/pf/index.html.


----------



## SirDice (Dec 29, 2008)

Add a line like this


```
pass in quick on bge0 proto tcp from any to any port 22 keep state
```


----------



## pk7 (Dec 29, 2008)

Hi,

My pf.conf file is very simple at the moment all it has is three lines.

block in all
pass out all keep state
pass in on bge0 all no state
pass out all bge0 all no state


I tried various variations on this and besides changing the block to a pass in the first line, none of the others will allow a ssh logon, basically I get the username prompt and then it hangs without providing the password prompt.


----------



## r-c-e (Dec 29, 2008)

Try:

UseDNS no

In your sshd_config, and restart.


----------



## pk7 (Dec 30, 2008)

Hi R-C-E

I have disabled DNS as you suggested and it has worked, thanks a lot for your help.

I must admit I am a bit confused as to why this is the solution, as it only seemed to cause a problem when I used pf to restrict traffic. When I allowed all traffic to pass over that interface, I could login even without the DNS disabled.

BTW although it does now allow me to login it does still seem to hang for around 10 seconds after entering the password which is a little long for a gigabit lan network. Is there any other ssh parameters you can think of that I can tune to fix this. Thanks again for your help.


----------

