LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   ssh session timeout through OpenBSD firewall (https://www.linuxquestions.org/questions/%2Absd-17/ssh-session-timeout-through-openbsd-firewall-4175473458/)

Ladowny 08-15-2013 06:05 AM
ssh session timeout through OpenBSD firewall
 
Hi

I'm setting up a new redundant pair of firewalls using OpenBSD 5.3, pf & CARP. Everything seems to be working fine, multiple public IP's on the carp interface are nat'ed to different internal IP's, the problem is with ssh sessions passing through pf. The time out after a couple of minutes, sometimes while I am editing configs. This does not apply to ssh sessions to the firewall itsself, only to those passing through nat, connected to Debian 7.1 boxes on the internal network. This does not seem to have anything to do with Debian or client configuration, as when I route traffic via the old gateway that I want to replace the connection stays up for hours, same thing when I connect to the new firewall directly. Only nat'ed connections get dropped.

This is quite annoying, obviously the workaround is to ssh to the firewall and then to the internal machine from it but I'd rather not let people on the firewalls

my pf.conf below, mh0mon01 is the machine behind nat to which my ssh connections are dropped.

Code:
ext_if="em0"
int_if="em1"
sync_if="em2"
lo_if="lo0"    # loopback interfaceA

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

# Gateways
gateway206="x.X.206.1"
# routing X.X.229.0 subnet
gateway229="X.X.229.1"
gateway228="X.X.228.1"

defaultgw="X.X.228.10"

#
mh0mon01="10.1.206.80"
mh0mon01_pub="X.X.206.80"

nl6app01="10.1.229.61"
nl6app01_pub="X.X.229.61"

# Unroutable addresses
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

match in all scrub (no-df)

# nat/rdr
match out on $ext_if from !$ext_if to any nat-to $defaultgw

match in quick on $ext_if inet proto tcp from any to $nl6app01_pub port { http, https, ssh } rdr-to $nl6app01
match in quick on $ext_if inet proto tcp from any to $mh0mon01_pub port { http, https } rdr-to $mh0mon01
match in quick on $ext_if inet proto tcp from any to $mh0mon01_pub port ssh rdr-to $mh0mon01

# Block traffic from unroutable addresses on external interface
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
# by default block all incoming traffic
block in all

pass out keep state

anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to 127.0.0.1 port 8021

antispoof quick for { lo $int_if }

# Allow access to mh0mon01
pass in inet proto tcp from any to $mh0mon01 port { http, https } flags S/SA synproxy state
#pass in inet proto tcp from any to $mh0mon01 port ssh flags S/SA synproxy state

pass in inet proto tcp from any to $mh0mon01 port ssh flags S/SA
# Allow traffic for application server
pass in inet proto tcp from any to $nl6app01 port { http, https, ssh } flags S/SA synproxy state
# Allow ssh acccess to firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

#pass in on $ext_if inet proto tcp from any to $mh0mon01 port 80 flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $int_if

# -----------------------------------------------------------------------------
# PFSYNC (between)
# -----------------------------------------------------------------------------
pass quick on $sync_if inet proto pfsync

# -----------------------------------------------------------------------------
# CARP
# -----------------------------------------------------------------------------
pass quick on { $ext_if $int_if } proto carp keep state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
#END
I tried setting /etc/ssh/sshd_config parameters
KeepAlive yes
ClientAliveInterval 30

but it does not help, my ssh sessions are dropped anyway, even when they are not idle. I noticed that it always happens when I change the CARP Master, it did not happen on earler versions of OpenBSD though.

my kernel settings for CARP
Code:
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2
Any idea how to prevent dropping ssh connections ? Any hints welcomed

EDIT

It does not happen when I shut down one of the 2 redundant firewalls. On a single firewall the ssh connection through nat is stable, it can stay up for a few hours. However when I bring the other firewall up it breaks.
Not sure if that has anything to do with these firewalls being hosted on VMWare Vsphere environment. I enabled preemption on the virtual switches, I even created separate port groups for these firewalls, but it did not help.

Thanks

Greg


All times are GMT -5. The time now is 06:23 AM.