[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: PF suddenly stops allowing certain connections through

On Mon, Jan 31, 2005 at 05:21:36PM -0600, Lyle Worthington wrote:
> Did my message even get through?  No one has replied and this is a
> rather urgent issue.  any help is appreciated!  The message is
> inline...
Yes, it did get through fine, as you can always check using the online
archives, like
Instead of making smart references to omelettes and how urgency doesn't
govern completion of tasks[1], I'll try to address your question. Which
doesn't mean anyone should be re-posting questions (without further data
relevant to the problem) if they are not answered initially within a day
or two, mind you :)
> We are running pf on v3.4 and for the most part it has worked
> perfectly for 6 months (with only 2 hard crashes).  However, twice now
> in the past week we've seen it suddenly stop allowing certain
> connections through, while others come through just fine.  The state
> table is nowhere near even 35% full, and its always just one port that
> wont get through.
> In this case it was ssh that was suddenly not allowed.  We have these
> three rules:
> pass in log on $ext_if proto tcp from xx.xx.xx.xx/24 to any port 22 keep state
> pass in log on $ext_if proto tcp from any to any port 25 keep state
> pass in log on $ext_if proto tcp from any to any port 80 keep state
> Where xx.xx.xx.xx/24 is our class C at our office.  Now the problem we
> see is that all of a sudden ssh is no longer allowed through.  There
> are no entries in the log about connections actually being blocked,
> but nothing gets through.  From multiple IPs on our C block we can hit
> SMTP and HTTP, just not SSH.  Does anyone have any ideas?  Anywhere I
> can look?  Need any more information?
When the machine is in that state the next time, do the following:
  - run tcpdump -nvvvpi $ext_if tcp port 22
  - run pfctl -vvsr >out1
  - try to establish an SSH connection
  - run pfctl -vvsr >out2
  - run pfctl -vvss >out3
  - compare out1 and out2 (diff -u might help)
  - search out3 for lines related to the attempted SSH connection
If you don't see any packets in the tcpdump output, there is some
network problem outside the scope of pf. If you see packets arrive,
pf should evluate the ruleset, pass the packet and create state. The
rule counters in out2 vs. out3 should increase. You should also see a
state entry.
It might be something simple like the client using a source address
outside the restricted /24 from time to time (if it's really a /20, for
instance). The tcpdump output should tell.
If you can't spot the problem, provide the output of the commands
mentioned above, and we can try to help.
[1] http://www.google.com/search?q=omelette+urgency+completion