Ladowny |
08-15-2013 06:05 AM |
ssh session timeout through OpenBSD firewall
Hi
I'm setting up a new redundant pair of firewalls using OpenBSD 5.3, pf & CARP. Everything seems to be working fine, multiple public IP's on the carp interface are nat'ed to different internal IP's, the problem is with ssh sessions passing through pf. The time out after a couple of minutes, sometimes while I am editing configs. This does not apply to ssh sessions to the firewall itsself, only to those passing through nat, connected to Debian 7.1 boxes on the internal network. This does not seem to have anything to do with Debian or client configuration, as when I route traffic via the old gateway that I want to replace the connection stays up for hours, same thing when I connect to the new firewall directly. Only nat'ed connections get dropped.
This is quite annoying, obviously the workaround is to ssh to the firewall and then to the internal machine from it but I'd rather not let people on the firewalls
my pf.conf below, mh0mon01 is the machine behind nat to which my ssh connections are dropped.
Code:
ext_if="em0"
int_if="em1"
sync_if="em2"
lo_if="lo0" # loopback interfaceA
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
# Gateways
gateway206="x.X.206.1"
# routing X.X.229.0 subnet
gateway229="X.X.229.1"
gateway228="X.X.228.1"
defaultgw="X.X.228.10"
#
mh0mon01="10.1.206.80"
mh0mon01_pub="X.X.206.80"
nl6app01="10.1.229.61"
nl6app01_pub="X.X.229.61"
# Unroutable addresses
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
match in all scrub (no-df)
# nat/rdr
match out on $ext_if from !$ext_if to any nat-to $defaultgw
match in quick on $ext_if inet proto tcp from any to $nl6app01_pub port { http, https, ssh } rdr-to $nl6app01
match in quick on $ext_if inet proto tcp from any to $mh0mon01_pub port { http, https } rdr-to $mh0mon01
match in quick on $ext_if inet proto tcp from any to $mh0mon01_pub port ssh rdr-to $mh0mon01
# Block traffic from unroutable addresses on external interface
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
# by default block all incoming traffic
block in all
pass out keep state
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to 127.0.0.1 port 8021
antispoof quick for { lo $int_if }
# Allow access to mh0mon01
pass in inet proto tcp from any to $mh0mon01 port { http, https } flags S/SA synproxy state
#pass in inet proto tcp from any to $mh0mon01 port ssh flags S/SA synproxy state
pass in inet proto tcp from any to $mh0mon01 port ssh flags S/SA
# Allow traffic for application server
pass in inet proto tcp from any to $nl6app01 port { http, https, ssh } flags S/SA synproxy state
# Allow ssh acccess to firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
#pass in on $ext_if inet proto tcp from any to $mh0mon01 port 80 flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
# -----------------------------------------------------------------------------
# PFSYNC (between)
# -----------------------------------------------------------------------------
pass quick on $sync_if inet proto pfsync
# -----------------------------------------------------------------------------
# CARP
# -----------------------------------------------------------------------------
pass quick on { $ext_if $int_if } proto carp keep state
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
#END
I tried setting /etc/ssh/sshd_config parameters
KeepAlive yes
ClientAliveInterval 30
but it does not help, my ssh sessions are dropped anyway, even when they are not idle. I noticed that it always happens when I change the CARP Master, it did not happen on earler versions of OpenBSD though.
my kernel settings for CARP
Code:
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2
Any idea how to prevent dropping ssh connections ? Any hints welcomed
EDIT
It does not happen when I shut down one of the 2 redundant firewalls. On a single firewall the ssh connection through nat is stable, it can stay up for a few hours. However when I bring the other firewall up it breaks.
Not sure if that has anything to do with these firewalls being hosted on VMWare Vsphere environment. I enabled preemption on the virtual switches, I even created separate port groups for these firewalls, but it did not help.
Thanks
Greg
|