PF Unable to establish ssh link to host running pf.

byrnejb · Apr 28, 2022

Code:

# freebsd-version ; uname -a
13.0-RELEASE-p11
FreeBSD x 13.0-RELEASE-p11#0 Tue Apr 5 18:54:35 UTC 2022   root@amd64-builder.demonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

On this host I have sshd listening on this port:

Code:

tcp           0          0 192.168.0.1.22                           *.*                              LISTEN

In pf.conf I have this filter rule placed before all other filters:

Code:

### Filtering
pass          quick log from  216.184.71.41

With pf enabled when I attempt to connect from 216.184.71.41 this is logged:

Code:

2022-04-28 09:22:43.655355 rule 2008/0(match): pass in on em4: 216.185.71.41.51794 > 192.168.0.1.22: Flags [S], seq 78510686, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>

However, sshd times out:

Code:

[root@vhost01 ~ (master)]# sshx 192.168.0.1
ssh: connect to host 192.168.0.1 port 22: Operation timed out

With pf disabled I can connect:

Code:

[root@vhost01 ~ (master)]# sshx 192.168.0.1
!!Warning!! -    Any deliberate attempt to access this resource without
                legitimate authorization is a criminal offence
                (R.S.C. 1985, c. C-46 - Section 342.1).
Last login: Thu Apr 28 08:38:57 2022
FreeBSD 13.0-RELEASE-p11 (GENERIC) #0: Tue Apr  5 18:54:35 UTC 2022
. . .

How is it that the connection passes through the firewall yet the ssh session cannot be established?

SirDice · Apr 28, 2022

Turn on KEEPALIVE on the ssh(1) connection. If there's no KEEPALIVE keeping the firewall state active it will eventually time out when the SSH connection is idle. Enabling KEEPALIVE will periodically send a 'noop' message keeping the firewall state active.

VladiBG · Apr 28, 2022

show the output of pfctl -sr

byrnejb · Apr 28, 2022

This worked once but no longer.

The fix is to set ServerAliveInterval=1 in /etc/ssh/ssh_config on the client.

Setting TCPKeepAlive on the server did not correct the issue.

byrnejb · Apr 28, 2022

Actually, I still have something happening that I do not understand. SSHD is listening on:

Code:

# netstat -an | grep -i listen | grep 22
tcp4       0      0 192.168.0.1.22         *.*                    LISTEN

This is the first pf filter rule:

Code:

pass          quick log proto tcp \
                from  216.185.71.41 \
                to    192.168.0.1     port  ssh

This is the sshd server setting for keep alive:

Code:

ClientAliveCountMax 120
ClientAliveInterval 2

This is the ssh_config setting on 216.185.71.41:

Code:

     ServerAliveInterval 1
     ServerAliveCountMax 60

With these settings when I try to connect then I see this:

Code:

[
[root@vhost01 ~ (master)]# time sshx -vvv 192.168.0.1
OpenSSH_7.9p1, OpenSSL 1.1.1l-freebsd  24 Aug 2021
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 3: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 192.168.0.1 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 192.168.0.1 port 22: Operation timed out
ssh: connect to host 192.168.0.1 port 22: Operation timed out

real    0m10.021s
user    0m0.006s
sys    0m0.000s

Several seconds after the timeout on 216.185.71.41 I see this appear in tcpdump -n -e -tttt -i pflog0 | grep 216.185.71.41 on 192.168.0.1:

Code:

2022-04-28 11:13:46.411969 rule 0/0(match): pass in on em4: 216.185.71.41.44720 > 192.168.0.1.22: Flags [S], seq 2734360578, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 994511250 ecr 0], length 0

And in /var/log/messages I see this:

Code:

Apr 28 11:13:56 gway04 sshd[2460]: Did not receive identification string from 216.185.71.41 port 44720

The timeout always occurs at 10 seconds. If pf is not running then the connection is instantaneous.

byrnejb · Apr 28, 2022

This rule is also required:

Code:

pass  out     quick from  self

covacat · Apr 28, 2022

try telnet -N 192.168.0.1 22 see if it connects
your reverse dns query from 192.168.0.1 for the client ip may time out
try putting 216.185.71.41 in /etc/hosts on 192.168.0.1 see if it changes anything

Eric A. Borisch · Apr 28, 2022

byrnejb said:
This rule is also required:

Code:

pass out quick from self

Shouldn’t be required for the TCP port 22 connection that is already PASS-ed and established, but this may be enabling a DNS query, as alluded to by covacat above.

SirDice · Apr 29, 2022

covacat said:
your reverse dns query from 192.168.0.1 for the client ip may time out
try putting 216.185.71.41 in /etc/hosts on 192.168.0.1 see if it changes anything

If the reverse DNS lookup fails (or times out) you would still get a connection. There would be an annoying delay when logging in but it would connect nonetheless.

byrnejb said:
Code:

pass quick log proto tcp \ from 216.185.71.41 \ to 192.168.0.1 port ssh

Rule should have an in to indicate this applies to incoming traffic. Preferably also tied to a specific interface, for example:

Code:

pass in log quick on em0 proto tcp from 216.185.71.41 to 192.168.0.1 port ssh

PF Unable to establish ssh link to host running pf.

byrnejb

SirDice

Administrator

VladiBG

byrnejb

byrnejb

byrnejb

covacat

Eric A. Borisch

SirDice

Administrator