[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Simple config works for a limited time then blocks all
From:       Artiom Molchanov <ar.molchanov () gmail ! com>
Date:       2013-06-05 13:53:53
Message-ID: CALG00W5QokmZi0g7SP015nYmOZ0jbdieVo4DLv5HgfeVhYpjwg () mail ! gmail ! com
[Download RAW message or body]

Hi All,

I am trying to make my pf configured in two times. In the beginning of the
boot process just load a simple ruleset with only ssh and ICMP ping
enabled. Then at the end load full rule set.

Full rule set works well, but when I ma trying to test my simple rules
(pfctl -f /etc/pf_min.conf) I have a strange behavior:
1. ssh connection is interrupted (normal)
2. I reconnect, it works
3. 1-2 minutes later the connection is cut again, no ping, nothing is
accepted on the server.
4. It is still possible to receive rtadvd messages (yes, I am using IPv6)

I have 9.0-RELEASE FreeBSD 9.0-RELEASE #5
Here is my rules passed throug pfctl -vnf command:

set skip on { lo }
set debug loud
set block-policy return
ext_if = "net0"
int_if = "home0"
int_net = "home0:network"

altq on net0 hfsc bandwidth 850Kb tbrsize 1492 queue { q_voice q_other }
queue q_voice bandwidth 64Kb priority 6 hfsc( realtime 128Kb )
queue q_other bandwidth 786Kb priority 5 { q_pri q_std q_low }
queue q_pri bandwidth 50% priority 3 hfsc( red realtime 96Kb )
queue q_std bandwidth 30% priority 2 hfsc( red default )
queue q_low bandwidth 20% hfsc( red upperlimit 92% )

block return in all
pass out all flags S/SA keep state
pass out on net0 proto udp from any to any port 33433 >< 33626 keep state
label "UDP TRACEROUTE"
pass out inet proto icmp all icmp-type echoreq keep state label "ICMP"
pass out inet proto icmp all icmp-type unreach keep state label "ICMP"
pass in on net0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass in on net0 inet6 proto ipv6-icmp all icmp6-type routeradv keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass out on net0 inet6 proto ipv6-icmp all icmp6-type routersol keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out on home0 inet6 proto ipv6-icmp all icmp6-type routeradv keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass in on home0 inet6 proto ipv6-icmp all icmp6-type routersol keep state
pass quick on net0 proto tcp from any to (net0) port = ssh flags S/SA keep
state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60, overload
<hammering> flush, src.track 60) queue q_pri

pass quick on home0 inet6 proto tcp from 2001:xxxx:xxxx:abc::/64 to
(home0)/32 port = ssh flags S/SA keep state
pass quick on home0 inet proto tcp from 192.168.17.0/24 to (home0) port =
ssh flags S/SA keep state
pass inet6 proto tcp from 2001:xxxx:xxxx:abc::/64 to any port = domain
flags S/SA keep state
pass inet6 proto udp from 2001:xxxx:xxxx:abc::/64 to any port = domain keep
state
pass inet proto tcp from 192.168.17.0/24 to any port = domain flags S/SA
keep state
pass inet proto udp from 192.168.17.0/24 to any port = domain keep state

[prev in list] [next in list] [prev in thread] [next in thread]