pf / pf.conf problem

Thu, 21 Oct 2004 01:29:38 -0700 

This is a weird problem that took me a while to track down. First off I
have 3 openbsd servers, 1 linux machine, and a couple of windows
workstations on my network. My firewall running NAT is openbsd 3.5. It is
doing NAT for the linux and windows computers. The other two openbsd
servers are outside of the firewall each running pf. Now all of a sudden
(it seemed this way) I could not maintain a session from a host behind the
firewall to either of the two openbsd servers (all internet traffic was
fine). What would happen if I tried to access my webserver (one of the two
openbsd servers) is the page would start to load and only show about 1/3 of
the page, then freeze. My other server (mail server) would not allow me to
download my email via pop/imap but looking at tcpdump I was able to fully
log into the server. I could ssh to the server and hit enter a few times
but as soon as I did anything like "ps axu" it would freeze half way into
the output.

Since I had not changed any of my pf.conf files in several months (server
uptimes all were around 40-50 days) and I saw no signs of hacking (log
files, mtree, etc) I was stumped. I tried moving my linux machine outside
the firewall and I had the same problem accessing the servers. I tried
rebooting all of my servers and even my switch with no change. Then I
started looking at my pf.conf rules and removing several at a time and
figured out that there was one rule that was causing the whole problem.

Here is from one of my servers, the first "pass in" rule is the problem, as
soon as I removed "keep state" there are no problems with anything and when
I add "keep state" back in, the problems return.

What does this mean? what can I do? I mean, I guess I don't NEED keep
state, but I would like to use it if possible. The hardware is adequate:
350mhz AMD and p2 450, 128mb RAM and 128mb RAM for my web and mail servers
respectively.


ExtIf="dc0"
Public="{ 80, 21, 22 }"
scrub in all

pass in log quick on $ExtIf inet proto tcp from any to any port $Public \
keep state

#pass in log quick on $ExtIf inet proto tcp from any to any port $Public

block in log all label "block in all"

pass out log quick on $ExtIf inet proto tcp   all  modulate state
pass out log quick on $ExtIf inet proto udp  all  keep state
pass out log quick on $ExtIf inet proto icmp all  keep state
pass in log quick on $ExtIf inet proto icmp all keep state

--
Public key http://www.krytosvirus.com/public.asc

Reply via email to