Hello list,
I have a problem with a soekris 4801 machine. Outgoing SSL and SSH
connections are impossible with it. This is what I get when I try to
connect to a stunnel server (using a command like "echo hello | nc
127.0.0.1 3389") :
- from the client :
tcpdump: listening on pppoe0, link-type PPP_ETHER
Oct 02 15:09:34.069390 PPPoE
code Session, version 1, type 1, id 0x12c1, length 66
IP: x.x.x.x.56270 > y.y.y.y.30389: SWE [tcp sum
ok] 3731128250:3731128250(0) win 16384 <mss
1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3223480777 0> (DF)
(ttl 64, id 4712, len 64)
Oct 02 15:09:40.060337 PPPoE
code Session, version 1, type 1, id 0x12c1, length 66
IP: x.x.x.x.56270 > y.y.y.y.30389: S [tcp sum
ok] 3731128250:3731128250(0) win 16384 <mss
1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3223480789 0> (DF)
(ttl 64, id 4536, len 64)
Oct 02 15:09:55.162217 PPPoE
code Session, version 1, type 1, id 0x12c1, length 42
IP: x.x.x.x.56270 > y.y.y.y.30389: R [tcp sum
ok] 3731128251:3731128251(0) ack 2122325017 win 0 (DF) [tos 0x10] (ttl
64, id 32369, len 40)
- and from the server :
tcpdump: listening on pppoe0, link-type PPP_ETHER
Oct 02 15:10:23.940288 PPPoE
code Session, version 1, type 1, id 0x0423, length 66
IP: x.x.x.x.56270 > y.y.y.y.30389: SWE [tcp sum
ok] 3731128250:3731128250(0) win 16384 <mss
1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3223480777 0> (DF)
(ttl 57, id 4712, len 64)
Oct 02 15:10:29.930202 PPPoE
code Session, version 1, type 1, id 0x0423, length 66
IP: x.x.x.x.56270 > y.y.y.y.30389: S [tcp sum
ok] 3731128250:3731128250(0) win 16384 <mss
1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3223480789 0> (DF)
(ttl 57, id 4536, len 64)
Oct 02 15:10:45.040214 PPPoE
code Session, version 1, type 1, id 0x0423, length 42
IP: x.x.x.x.56270 > y.y.y.y.30389: R [tcp sum
ok] 3731128251:3731128251(0) ack 2122325017 win 0 (DF) [tos 0x10] (ttl
57, id 32369, len 40)
I found that when the machine connect to ssh server version 1, the
connection is okay.
Does anyone have some clue about this ?
Thanks in advance,
Here is my pf.conf :
ext_if = pppoe0
int_if = sis1
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"
set block-policy return
set optimization aggressive
set skip on lo
scrub in on { $int_if, $ext_if } all fragment reassemble
scrub out on { $int_if, $ext_if } all max-mss 1400 fragment reassemble
altq on $ext_if priq bandwidth 243Kb queue { std_out, ssh_bulk, ssh_login,
dns_out, tcp_ack_out }
queue std_out priority 1 priq(default)
queue ssh_bulk priority 4 priq(ecn)
queue ssh_login priority 5 priq(ecn)
queue dns_out priority 6
queue tcp_ack_out priority 7
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if proto tcp to port 30389 -> 127.0.0.1 port 30389
block in all
antispoof quick for { $ext_if $int_if }
table <ssh-bruteforce> persist
block in quick from <ssh-bruteforce>
pass in quick on $ext_if inet proto tcp from any to any port ssh flags S/SA
keep state (max-src-conn-rate 2/10, overload <ssh-bruteforce> flush global)
pass in quick on $ext_if inet proto tcp from any to any port 30389 flags S/SA
keep state
pass inet proto icmp from any to ($ext_if) icmp-type echoreq keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state
queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto {udp icmp} from ($ext_if) to any keep state
pass out on $ext_if inet proto {tcp udp} from ($ext_if) to any port domain keep
state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port sshflags S/SA
keep state queue(ssh_bulk, ssh_login)
--
Serge
