# Dropped SSH Connections



## ahankinson (Nov 30, 2009)

I have two machines with different network cards. On the first machine, when I restart anything to do with the networking, e.g. "/etc/rc.d/netif restart" or "/etc/rc.d/ipfw restart" it will maintain the ssh connection through the restart. This machine is running FreeBSD 7.2 with the following hardware:

```
$ pciconf -vl
...
bce0@pci0:9:0:0:	class=0x020000 card=0x01b31028 chip=0x164c14e4 rev=0x12 hdr=0x00
    vendor     = 'Broadcom Corporation'
    device     = 'Broadcom NetXtreme II Gigabit Ethernet Adapter (BCM5708)'
    class      = network
    subclass   = ethernet
...
```

On the second machine, however, the connection hangs and I have to close the terminal. It does not exit the connection, it simply waits until it times out. I'm running 8.0-RELEASE on this machine.

It is running this hardware:


```
$ pciconf -vl
...
em0@pci0:5:0:0:	class=0x020000 card=0x34768086 chip=0x10968086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Intel PRO/1000 EB (Intel PRO/1000 EB)'
    class      = network
    subclass   = ethernet
...
```

I've tried the same firewall settings on both machines which did not seem to make a difference. 

Any clues as to why this happens? Generally, is this likely to be a difference in hardware capabilities, or is it a software configuration problem?

Thanks in advance.


----------



## aragon (Nov 30, 2009)

The fact that it doesn't happen in 7.2 is quite surprising.  The behaviour seems pretty normal to me...


----------



## ahankinson (Nov 30, 2009)

I just double-checked. I'm now using IPFW on the 7.2 machine and PF on the 8.0 machine. Restarting netif on the 8.0 machine now maintains the connection, but restarting PF results in a dropped connection. Restarting both netif and IPFW on the 7.2 machine maintains the connection.

I'm beginning to suspect that it is actually a firewall problem. Maybe I'm missing an 'established' rule on the PF side of things. I'll change it up and report back.


----------



## aragon (Dec 1, 2009)

That is correct behaviour.  When you restart pf using the RC script it probably clears PF's state table.  You should not be adding "established" rules to a stateful firewall as that entirely defeats the point of a stateful firewall.  The key is to avoid resetting the firewall's state table.

Why are you restarting PF?  If you just want to reload the ruleset, use pfctl(8) instead.


----------



## anomie (Dec 1, 2009)

Note that you can do: `# /etc/rc.d/pf reload`

That uses pfctl as well.


----------



## ahankinson (Dec 1, 2009)

Thank you all for your expertise & replies. I've fixed the problem.


----------



## DutchDaemon (Dec 1, 2009)

How? Share solutions.


----------



## phoenix (Dec 2, 2009)

It could also be a difference between the "default rule" for IPFW and PF.  I don't know about PF, but IPFW's default rule is "deny ip from any to any", which will kill all active network connections when you restart/reload IPFW rules.

However, one can change that via a kernel option (IPFW_DEFAULT_TO_ACCEPT), which sets the default rule to "allow ip from any to any" which will not kill active connections during a restart/reload.


----------



## ahankinson (Dec 4, 2009)

Sorry for not including the solution I discovered. I mostly just followed the instructions suggested by others in this thread. By using 


```
/etc/rc.d/pf reload
```

instead of restart it does not break the network connection. As for why it doesn't happen on IPFW, I'm still not sure why.


----------



## phoenix (Dec 4, 2009)

Did you read what I posted?  That tells you why.


----------

