# Can't ssh with pf enabled.



## chigurh (Jan 9, 2013)

Hi,

I have configured pf on 8.3-STABLE and my /etc/pf.conf is as follows -

```
# $FreeBSD: /etc/pf.conf,v 1.1.12.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
#

# Macros: 

  ext_if="re0"
  int_if="lo0"
  ext_ad = $ext_if "/32"
  localnet = $int_if:network
  tcp_services="{ 80, 45454, 443, 43, 25 }"

# Tables: 

  table <spamd-white> persist
  table <ssh-bruteforce> persist
  table <block-list> persist file "/etc/block-list"
  table <badhosts> persist
  table <sshguard> persist
  table <local> { 10.0.0.1/24 }

# Options: 
 
  set timeout { interval 10, frag 30 }
  set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
  set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
  set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
  set timeout { icmp.first 20, icmp.error 10 }
  set timeout { other.first 60, other.single 30, other.multiple 60 }
  set timeout { adaptive.start 0, adaptive.end 0 }
  set limit { states 10000, frags 5000 }
  set loginterface re0
  set optimization aggressive
  set block-policy return
  set require-order yes
  set debug loud
# set fingerprints "/etc/pf.os"
  set skip on lo0

# Normalization: 
 
  scrub in no-df random-id
  scrub in on $ext_if all fragment reassemble

# Queueing: 
# altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
# queue dflt bandwidth 5% cbq(default)
# queue developers bandwidth 80%
# queue marketing  bandwidth 15%

# Translation: 
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.

  nat on $ext_if from $localnet to any -> ($ext_if)

  no rdr inet proto tcp from <spamd-white> to any port smtp
  rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd

# Filtering:

# pass in all
  pass out all
  antispoof quick for $int_if
  antispoof log quick for $int_if label "Spoofed"
  antispoof quick for $ext_if

# block all incoming packets but allow ssh, pass all outgoing tcp and udp connections and keep state, logging blocked packets.
 
  block in log all
  block in quick from <block-list> to any
  block in quick on $ext_if from <sshguard> label "ssh bruteforce"
  block drop in quick on $ext_if from <ssh-bruteforce>
  block on $ext_if from <badhosts> to any
  block in from no-route to any
  block in from urpf-failed to any

### block probes that can possibly determine our operating system by disallowing certain combinations that are used by nmap, queso and xprobe2, who are 
### attempting to fingerprint the server.
 ### * F : FIN  ? Finish; end of session
 ### * S : SYN  ? Synchronize; indicates request to start session
 ### * R : RST  ? Reset; drop a connection
 ### * P : PUSH ? Push; packet is sent immediately
 ### * A : ACK  ? Acknowledgement
 ### * U : URG  ? Urgent
 ### * E : ECE  ? Explicit Congestion Notification Echo
 ### * W : CWR  ? Congestion Window Reduced

  block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
  block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
  block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
  block in quick on $ext_if proto tcp flags /WEUAPRSF
  block in quick on $ext_if proto tcp flags SR/SR
  block in quick on $ext_if proto tcp flags SF/SF

  pass in quick from <local> to any keep state
  pass  out on $ext_if proto { tcp, udp } all keep state
  pass  out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
  pass  in  on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
  pass  in  on { lo0, $localnet } to any keep state
  pass  out on { lo0, $localnet } to any keep state
  pass  in  on $ext_if proto tcp from any to $ext_if port 45454 flags S/SA keep state (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
  pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 8443 keep state
```

With pf enabled I can't ssh into my box from lan. 


```
$ ssh -vv apogee@10.0.0.5 -p 45454
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.0.5 [10.0.0.5] port 45454.
debug1: connect to address 10.0.0.5 port 45454: Connection refused
ssh: connect to host 10.0.0.5 port 45454: Connection refused
```

With pf disabled -

```
$ ssh -vv -p 45454 apogee@10.0.0.5
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug2: ssh_connect: needpriv 0
.
.
.
debug2: shell request accepted on channel 0
Last login: Wed Jan  9 00:37:50 2013
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
 
FreeBSD 8.3-STABLE (INFERNO) #0: Sat Jun 23 05:02:43 PDT 2012
 
Welcome to FreeBSD!
 
Before seeking technical support, please use the following resources:
 
o  Security advisories and updated errata information for all releases are
   at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
   for your release first as it's updated frequently.
 
o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.
 
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.
 
You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.
 
To see how long it takes a command to run, type the word "time" before the
command name.
                -- Dru <genesis@istar.ca>
>
```

I have tried several things but nothing has worked. Some more details about port -

```
#lsof -i | grep sshd
sshd      60699   root    3u  IPv6 0xffffff0249f47760      0t0  TCP *:45454 (LISTEN)
sshd      60699   root    4u  IPv4 0xffffff0249f473b0      0t0  TCP *:45454 (LISTEN)
```


```
# pfctl -s info
Status: Enabled for 0 days 00:15:47             Debug: Loud

Interface Stats for re0               IPv4             IPv6
  Bytes In                         1482920           962833
  Bytes Out                         284648              688
  Packets In
    Passed                            1826                0
    Blocked                           1751             4175
  Packets Out
    Passed                            2633               10
    Blocked                              2                0

State Table                          Total             Rate
  current entries                        4               
  searches                           10717           11.3/s
  inserts                              928            1.0/s
  removals                             924            1.0/s
Counters
  match                               7068            7.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              4            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
```

Please forgive me for long quotes but I am using PF for first time.


----------



## DutchDaemon (Jan 9, 2013)

Either move your pass in rule higher up, or add the log statement to the block in rules and run a *tcpdump* on the pflog device.


----------



## chigurh (Jan 9, 2013)

Hi, thanks for a quick reply. I moved the rules up and it worked. Will check other two options later. Thanks again!


----------

