# Upgrade from 8.2 -> 9.0



## folivora (Jul 30, 2012)

Hi, 

I did upgrade from FreeBSD 8.2 to FreeBSD 9.0. All went fine, except I am having issues with `# ifconfig alias`. I have one NIC from external connections, this NIC has host's main ip-address and two aliases for jails.


```
ifconfig_re0="inet xx.120.81.83 netmask 255.255.255.0"
ifconfig_re0_alias0="inet xx.120.81.4 netmask 255.255.255.0"
ifconfig_re0_alias1="inet xx.120.81.92 netmask 255.255.255.0"
```

Everything was working without problems before the upgrade.
Now when I am connect to jail's sshd I get timeout; if I change the rdr-port in /etc/pf.conf to something else, lets say port 1234 I can reach the jail's sshd without any problems.

My host is running also sshd in port 22 and so are jails.

Host is listening to it's own external ip-address *xx.120.81.83* and other jails is listening address *xx.120.81.4*.

I have this rule for RDR in pf.conf


```
ext_if="re0
ext_if3="xx.120.81.4"
jail_1="xx.120.81.4"
rdr pass on $ext_if proto tcp from any to $ext_if3 port 22 -> $jail_1 port 22
```

This has been working last two years without any problems, I am kinda clueless what could cause this problem.

I have been trying to look with tcpdump(8), this is the output


```
IP ab11160.xx.xx.49436 > xx.120.81.4.ssh: Flags [S], seq 1617453496, win 14600, options [mss 1460,sackOK,TS val 603230 ecr 0,nop,wscale 7], length 0

IP ab11160.xx.xx.49436 > xx.120.81.4.ssh: Flags [S], seq 1617453496, win 14600, options [mss 1460,sackOK,TS val 604432 ecr 0,nop,wscale 7], length 0
```

All ideas are most welcome, I have been trying to fix this issue for sometime now. 

Best Regards

folivora


----------



## folivora (Jul 30, 2012)

Seems that when communicating my jails aren't answering back:

tcpdump:


```
00:00:00.000000 70:be:9b:50:dd:10 > 1c:cc:f7:e3:46:59, ethertype IPv4 (0x0800), length 74: xxx.24.140.160.49571 > xx.120.81.4.22: Flags [S], seq 2168901959, win 14600, options [mss 1460,sackOK,TS val 1153703 ecr 0,nop,wscale 7], length 0
00:00:03.002158 70:be:9b:50:dd:10 > 1c:cc:f7:e3:46:59, ethertype IPv4 (0x0800), length 74: xxx.24.140.160.49571 > cc.120.81.4.22: Flags [S], seq 2168901959, win 14600, options [mss 1460,sackOK,TS val 1154004 ecr 0,nop,wscale 7], length 0
00:00:06.021044 70:be:9b:50:dd:10 > 1c:cc:f7:e3:46:59, ethertype IPv4 (0x0800), length 74: xxx.24.140.160.49571 > xx.120.81.4.22: Flags [S], seq 2168901959, win 14600, options [mss 1460,sackOK,TS val 1154606 ecr 0,nop,wscale 7], length 0
00:00:12.019679 70:be:9b:50:dd:10 > 1c:cc:f7:e3:46:59, ethertype IPv4 (0x0800), length 74: xxx.24.140.160.49571 > xx.120.81.4.22: Flags [S], seq 2168901959, win 14600, options [mss 1460,sackOK,TS val 1155808 ecr 0,nop,wscale 7], length 0
00:00:24.116279 70:be:9b:50:dd:10 > 1c:cc:f7:e3:46:59, ethertype IPv4 (0x0800), length 74: xxx.24.140.160.49571 > xx.120.81.4.22: Flags [S], seq 2168901959, win 14600, options [mss 1460,sackOK,TS val 1158216 ecr 0,nop,wscale 7], length 0
```

Could this be because of wrong routing on the routing table? 
But it is weird that different port work fine, but ports like 113/auth, 22/ssh, 80/http and 443/https aren't working after the upgrade.

-folivora


----------



## folivora (Jul 30, 2012)

Ok, I have investigated the problem more, I got external connections working after issuing
`# /etc/rc.d/pf stop` command, after the upgrade I haven't changed any configurations on /etc/rc.conf or in /etc/pf.conf

Here is my pf.conf


```
#MACROS
ext_if="re0" #external (single interface)
int_if="em0" #internal interface
ext_if2="xx.120.81.93" #re0 
ext_if3="xx.120.81.4"  # re0 jail_1
jail_1="xx.120.81.4"

# ping requests
icmp_types = "{echoreq, unreach}"
icmp6_types_out = "{ echoreq, unreach, neighbrsol, routersol }"
icmp6_types_in = "{ echoreq, unreach, neighbrsol, neighbradv, routeradv }"

#firewall itself
#table <firewall> const { self }

#tables
table <sshguard> persist
table <badguys> persist file "/etc/badguys"
table <non_routable> persist file "/etc/non_routable"
table <ssh-violations> persist file "/etc/ssh-violations"
table <irc-servers> persist file "/etc/irc-servers"

#spamd tables
table <spamd> persist
table <spamd-white> persist

#external bad IPs
table <badroutes> { }

# don't filter on the loopback interface
set skip on lo0

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all random-id
scrub out on $ext_if all random-id
scrub on $ext_if all reassemble tcp

nat on $ext_if inet from $int_if:network to any -> $ext_if2

rdr pass on $ext_if proto tcp from any to $ext_if3 port 22 -> $jail_1 port 22

block in log all label "block in all"

#incoming 
#
block in log on $ext_if  #block all incoming; external interface

pass log (all, to pflog2) inet proto tcp from any to any ##log  

#block bad guys
#block external broadcasts without logging
block in quick on $ext_if from any to 255.255.255.255 label "external broadcast block"

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

##antispoof
antispoof log for $ext_if
antispoof log for lo
antispoof log for $int_if

#SSH
pass in quick on $ext_if proto tcp from <goodguys> to ($ext_if) port ssh keep state
pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state (max-src-conn-rate 3/5, overload <badguys> flush global)

#black bad routes / sites
block out quick on $ext_if proto { tcp, udp, icmp } to <badroutes> label "block out ext_if badroutes"
block drop out quick on $ext_if from any to <non_routable> label "block out ext_if non_routable"

#outgoing rules (keep state: sets a state table; matching packets are allowed back automatically)
pass out on $ext_if proto { tcp, udp, icmp } all keep state
pass out on $int_if proto { tcp, udp, icmp } all keep state
```

I did leave some rules out, since they are for different protocols.

-folivora


----------

