# PF drop my SSH after few seconds



## blaize (Sep 6, 2012)

Hello,
I'm new to PF, I have read many thread about the rules configurations. I tried many thing but I can't get PF working.
When I switch on PF with pfctl -ef /etc/pf.conf, that drop my SSH connection, ok, why not. But when I try to come back, sometime it's work, sometime not... I timed out the first time, believe was a wrong rules, then it work. When I'm back on SSH, few seconds after login, I have a connection abort, PF kick me. I just have the time to switch down PF before he kick me. I really don't understand why, should always fails or alway work !

here is my pf.conf

```
#       $FreeBSD: release/9.0.0/share/examples/pf/pf.conf 218854 2011-02-19 14:57:00Z brucec $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

## Macros
EXT_NIC="em0"
INT_NIC="bridge0"

# Your Internet IP goes in the EXT_IP variable
EXT_IP="176.31.110.188"

# Your private network IP goes in the INT_IP variable
# if you have two NICs on the machine
INT_IP="192.168.0.1"

## TABLES


## GLOBAL OPTIONS
#set loginterface $EXT_NIC
set skip on lo0

## TRAFFIC NORMALIZATION
#scrub in on $EXT_NIC all fragment reassemble
#scrub out on $EXT_NIC all fragment reassemble random-id no-df
scrub in all

## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $EXT_NIC inet from any to any -> $EXT_NIC
nat on $EXT_NIC inet6 from any to any -> $EXT_NIC

## FILTER RULES

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all

# Default TCP policy
#block return-rst in log on $EXT_NIC proto TCP all
#  pass in log quick on $EXT_NIC proto tcp from any to $EXT_IP port 22 flags $SYN_ONLY keep state
#  pass in log quick on $EXT_NIC proto tcp from any to $EXT_IP port 113 flags $SYN_ONLY keep state
#  pass in log quick inet proto tcp from any to $EXT_IP port 113

pass in quick inet proto tcp from $EXT_NIC to any port 22 flags S/SA keep state
pass in quick inet proto tcp from $EXT_NIC to any port 113 flags S/SA keep state


# Default UDP policy
#block in log on $EXT_NIC proto udp all
   # It's rare to be hosting a service that requires UDP (unless you are hosting
   # a dns server for example), so there typically won't be any entries here.

# Default ICMP policy
#block in log on $EXT_NIC proto icmp all
#   pass in log quick on $EXT_NIC proto icmp from any to $EXT_IP icmp-type echoreq keep state
#   pass proto { icmp icmp6 }

pass in quick inet proto icmp from any to any icmp-type { echoreq, echorep, timex, unreach }

#Allow all out traffic
pass out quick inet proto tcp from any to any flags S/SA keep state
pass out quick inet proto { udp, icmp } from any to any keep state
```

I commented some other rules found before. Little more complex, but for now, I just want SSH work realiable !

Thank you in advance, really hope someone will understand what is wrong


----------



## SirDice (Sep 6, 2012)

What makes you think it's PF that's dropping the connection? There's nothing in your rules that would result in that behavior.


----------



## blaize (Sep 6, 2012)

Thank for the quick answer. Yes, PF is dropping my connection. Ping not responding and SSH timeout. Sometime, 2 ping respond, then nothing until 2 other may work. 
Same thing for SSH, can't connect until it's work for a short period of time, just the time to disable PF. I really don't understand, maybe it's not a pf's rules problem?


----------



## SirDice (Sep 6, 2012)

It sounds more like a bad internet connection to me.


----------



## kisscool-fr (Sep 6, 2012)

From where do you connect ? From your lan or from the outside ?


----------



## blaize (Sep 6, 2012)

I'm connecting from Internet. When I disable PF, everything work fine.
I rent a server from OVH.
It's possible they add something I need unblock ?


----------



## kisscool-fr (Sep 6, 2012)

Change your ssh rule from this 


```
pass in quick inet proto tcp from $EXT_NIC to any port 22 flags S/SA keep state
```

to something like this 


```
pass in quick on $EXT_NIC inet proto tcp from any to $EXT_IP port 22 flags S/SA keep state
```


YOu should also change the nat rules from this 


```
nat on $EXT_NIC inet from any to any -> $EXT_NIC
nat on $EXT_NIC inet6 from any to any -> $EXT_NIC
```

to something like this 


```
nat on $EXT_NIC inet from ! $EXT_NIC to any -> $EXT_NIC
nat on $EXT_NIC inet6 from ! $EXT_NIC to any -> $EXT_NIC
```


And just like that, what is it the bridge for ? ANd are you sure you need the port 113 ?


----------



## blaize (Sep 6, 2012)

Ok, i'll try this.
The bridge0 is to redirect ports on jails. Not used now.


----------



## blaize (Sep 6, 2012)

I loose SSH connexion with the last rules


----------



## blaize (Sep 6, 2012)

In my kernel config, I have :

```
# The `bpf' device enables the Berkeley Packet Filter.
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter
```

AND


```
device          pf
device          pflog
```

so I have /dev/bpf, /dev/bpf0 and /dev/pf
There is a chance of conflicting ?


----------



## kisscool-fr (Sep 6, 2012)

The kernel config should not have any impact with your problem. You may also leave it as a module, pf module will be loaded at startup if needed. 


Just one thing for for the nat rules I did not take care before, you have to ommit the inet and inet6 keywords. At the end, you will have 


```
nat on $EXT_NIC from ! $EXT_NIC to any -> $EXT_NIC
```

instead of 


```
nat on $EXT_NIC inet from ! $EXT_NIC to any -> $EXT_NIC
nat on $EXT_NIC inet6 from ! $EXT_NIC to any -> $EXT_NIC
```

It will not load the rules otherwise.


----------



## blaize (Sep 6, 2012)

Just tried to change, all is blocked again.
Even ping is not responding. I don't understand why.


----------



## blaize (Sep 6, 2012)

I put "pass all" instead of "block all" and nothing changed. I have no access at all.
Seem to be other thing :/


----------



## plamaiziere (Sep 6, 2012)

blaize said:
			
		

> Thank for the quick answer. Yes, PF is dropping my connection. Ping not responding and SSH timeout. Sometime, 2 ping respond, then nothing until 2 other may work.
> Same thing for SSH, can't connect until it's work for a short period of time, just the time to disable PF. I really don't understand, maybe it's not a pf's rules problem?



Looks like a lack of states. Check the number of states current entries

```
pfctl -s info

State Table                          Total             Rate
  current entries                   141905
```

And adjust your limit (pfctl -s memory to show, pf.conf "set limit" rule to adjust)

HTH, regards.


----------



## kisscool-fr (Sep 6, 2012)

Can you try something as simple as this 


```
## Macros
EXT_NIC="em0"

# Your Internet IP goes in the EXT_IP variable
EXT_IP="176.31.110.188"

## TABLES


## GLOBAL OPTIONS
#set loginterface $EXT_NIC
set skip on lo0

## TRAFFIC NORMALIZATION
#scrub in on $EXT_NIC all fragment reassemble
#scrub out on $EXT_NIC all fragment reassemble random-id no-df
scrub in all

## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $EXT_NIC from ! $EXT_NIC to any -> $EXT_NIC

## FILTER RULES

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all

pass in quick on $EXT_NIC proto tcp from any to $EXT_IP port 22
```

Can you also post the output of ifconfig and your /etc/rc.conf


----------



## blaize (Sep 6, 2012)

plamaiziere said:
			
		

> Looks like a lack of states. Check the number of states current entries
> 
> ```
> pfctl -s info
> ...




```
pfctl -s info
No ALTQ support in kernel
ALTQ related functions disabled
Status: Disabled                              Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
```

0 entrie.... don't sure that normal...

My limit :

```
pfctl -s memory
No ALTQ support in kernel
ALTQ related functions disabled
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000
```


----------



## blaize (Sep 6, 2012)

kisscool-fr said:
			
		

> Can you try something as simple as this
> 
> 
> ```
> ...



Tried, don't work, I loose SSH connection and can't reconnect.

my ifconfig (without epair0a and epair0b)

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether e0:69:95:c3:22:f9
        inet 176.31.110.188 netmask 0xffffff00 broadcast 176.31.110.255
        inet6 fe80::e269:95ff:fec3:22f9%em0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pflog0: flags=0<> metric 0 mtu 33152
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:f1:4e:90:f9:00
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
```

my rc.conf (without the jail specific configuration)

```
sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="213.186.33.99"
fsck_y_enable="YES"
named_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

ifconfig_em0="inet 176.31.110.188 netmask 255.255.255.0 broadcast 176.31.110.255"
defaultrouter="176.31.110.254"
hostname="ks393815.kimsufi.com"

#packet filter
#pf_enable="YES"
#pflog_enable="YES"
#gateway_enable="YES"
#ipv6_gateway_enable="YES"

#jail network
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 192.168.0.1 netmask 255.255.255.0 up"

#Jails
jail_enable="YES"
jail_v2_enable="YES"
jail_list="left4dead"

jail_set_hostname_allow="NO"
jail_sysvipc_allow="NO"                   
jail_stop_jailer="NO"
inetd_flags="-wW -a 176.31.110.188"       
sendmail_enable="NO"
syslogd_flags="-s"
```


----------



## plamaiziere (Sep 6, 2012)

blaize said:
			
		

> ```
> pfctl -s info
> No ALTQ support in kernel
> ALTQ related functions disabled
> ...



Here PF is disabled...


----------



## jnbek (Sep 6, 2012)

Just to throw this out there, but, perhaps the problem isn't PF/FreeBSD to begin with. You mentioned you were "Renting a server from OHV", perhaps the problem is with the host. Do you have connection limits? Do they have some type of system that disconnects idle connections? What kind of plan are you on? VPS/Dedicated/Shared? Review the fine print in your account's ToS to make sure none of the above conditions exist?


----------



## blaize (Sep 6, 2012)

Yes PF is disabled. If I enable PF I loose SSH connection, so I can't give you the result while pf is working. 
I rent a dedicated server with unlimited access. When pf is disabled I can stay no limit on SSH without disconnected.


----------



## plamaiziere (Sep 6, 2012)

blaize said:
			
		

> Yes PF is disabled. If I enable PF I loose SSH connection, so I can't give you the result while pf is working.
> I rent a dedicated server with unlimited access. When pf is disabled I can stay no limit on SSH without disconnected.



Do you have a lot of connections on your server ?
It is safe to augment the states limit (I've 1 000 000 max states at work, with an average number entries at 250 000). 10000 max states (the default) is quite low on load.

also you can output pfctl -s info to a file each second with a small script.

Regards.


----------



## blaize (Sep 6, 2012)

Actually I have nobody on the server. I just rent it 2 day ago. 
I put the pfctl -s info in my script called by "at" to rollback the block


```
#!/bin/sh
pfctl -s info > /home/xxx/pf_info
mv /etc/pf.conf /home/xxx/pf.conf
touch /etc/pf.conf
pfctl -d
```

The result is strange :

```
#cat pf_info
Status: Disabled                              Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
```


----------



## SirDice (Sep 6, 2012)

Are any of the other two firewalls (IPFW and IPFilter) perhaps enabled?

Also, try with the GENERIC kernel. When you enable pf(4) the module will be loaded. See if that works.


----------



## blaize (Sep 6, 2012)

How do I check if IPFW or IPFilter are enabled ?


----------



## SirDice (Sep 7, 2012)

You should get errors with these:
IPFW:
`# ipfw list` 
IPFilter:
`# ipfstat`


----------



## blaize (Sep 8, 2012)

I resolved the problem without solution => reinstalling OS from webadmin from OVH (when I rent)
Maybe a bug during the first auto install.
You can mark as solved.
Thank you for your answer, I learn more on PF


----------



## jnbek (Sep 9, 2012)

Cool


----------

