pf is dropping connections

Mark Cullen mark.cullen at dsl.pipex.com
Sun Oct 24 01:41:39 PDT 2004


Mark Cullen wrote:
Yet more problems from me :) I just got a semi-basic ruleset for pf and 
it seems to be dropping connections. For example: If I SSH into my 
University and start typing say.. telnet <someplace> PuTTY will pop up a 
nice little error message saying "software caused connection abort", or 
something similar. I didn't have this problem with ipfw1 and natd.

Here's my rules. Maybe I got it a bit wrong somewhere? I copied most of 
it from an online example thing.

-- /etc/pf.conf --
ext_if="fxp1"
int_if="fxp0"
# my adsl modem is 192.168.0.1 ....
priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types = "echoreq"
tcp_services = "{ 80, 21, 20, 50000:50010 }"
udp_services = "{ 5029 }"
# set things
set block-policy return
set loginterface $ext_if
scrub in all
# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)
# block all traffic
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# open ports to server
pass in on $ext_if inet proto tcp from any to ($ext_if) port 
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port 
$udp_services keep state

# allow traffic all inside network
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
# allow network traffic to go out to the internet, keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Is there anything there that might be causing it to drop connections?

No ideas? I went back to ipfw allow everything rules for the night. I 
couldn't get logging with pf to work either. Might have helped me 
figured out what was going wrong.. Is it supposed to create /dev/pflog 
or something? I ran makedev and that didn't appear.. pflogd complained too:

Oct 23 21:08:31 bone pflogd[8709]: Failed to initialize: BIOCSETIF: 
pflog0: Network is down
Oct 23 21:08:31 bone pflogd[8709]: Exiting, init failure

I kinda hope my problems are just because there's still something a bit 
wrong with pf in stable. It's looking like I might have to try FreeBSD 4 
. . can't go without a firewall!
--
Internet Explorer? Try FireFox at http://www.mozilla.org/products/firefox/
Outlook Express? Try ThunderBird at 
http://www.mozilla.org/products/thunderbird/





More information about the Users mailing list