DragonFly BSD
DragonFly users List (threaded) for 2004-10
Re: pf is dropping connections

From: Mark Cullen <mark.cullen@xxxxxxxxxxxxx>
Date: Sun, 24 Oct 2004 09:41:39 +0100

Mark Cullen wrote:
Yet more problems from me :) I just got a semi-basic ruleset for pf and it seems to be dropping connections. For example: If I SSH into my University and start typing say.. telnet <someplace> PuTTY will pop up a nice little error message saying "software caused connection abort", or something similar. I didn't have this problem with ipfw1 and natd.

Here's my rules. Maybe I got it a bit wrong somewhere? I copied most of it from an online example thing.

-- /etc/pf.conf --
# my adsl modem is ....
priv_nets = "{,, }"
icmp_types = "echoreq"
tcp_services = "{ 80, 21, 20, 50000:50010 }"
udp_services = "{ 5029 }"

# set things
set block-policy return
set loginterface $ext_if
scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

# block all traffic
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# open ports to server
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state

# allow traffic all inside network
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network

# allow network traffic to go out to the internet, keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Is there anything there that might be causing it to drop connections?

No ideas? I went back to ipfw allow everything rules for the night. I couldn't get logging with pf to work either. Might have helped me figured out what was going wrong.. Is it supposed to create /dev/pflog or something? I ran makedev and that didn't appear.. pflogd complained too:

Oct 23 21:08:31 bone pflogd[8709]: Failed to initialize: BIOCSETIF: pflog0: Network is down
Oct 23 21:08:31 bone pflogd[8709]: Exiting, init failure

I kinda hope my problems are just because there's still something a bit wrong with pf in stable. It's looking like I might have to try FreeBSD 4 . . can't go without a firewall!
