LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 08-15-2013, 06:05 AM   #1
Ladowny
LQ Newbie
 
Registered: Oct 2006
Distribution: Debian, OpenBSD
Posts: 19

Rep: Reputation: 0
ssh session timeout through OpenBSD firewall


Hi

I'm setting up a new redundant pair of firewalls using OpenBSD 5.3, pf & CARP. Everything seems to be working fine, multiple public IP's on the carp interface are nat'ed to different internal IP's, the problem is with ssh sessions passing through pf. The time out after a couple of minutes, sometimes while I am editing configs. This does not apply to ssh sessions to the firewall itsself, only to those passing through nat, connected to Debian 7.1 boxes on the internal network. This does not seem to have anything to do with Debian or client configuration, as when I route traffic via the old gateway that I want to replace the connection stays up for hours, same thing when I connect to the new firewall directly. Only nat'ed connections get dropped.

This is quite annoying, obviously the workaround is to ssh to the firewall and then to the internal machine from it but I'd rather not let people on the firewalls

my pf.conf below, mh0mon01 is the machine behind nat to which my ssh connections are dropped.

Code:
ext_if="em0"
int_if="em1"
sync_if="em2"
lo_if="lo0"     # loopback interfaceA

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

# Gateways
gateway206="x.X.206.1"
# routing X.X.229.0 subnet
gateway229="X.X.229.1"
gateway228="X.X.228.1"

defaultgw="X.X.228.10"

#
mh0mon01="10.1.206.80"
mh0mon01_pub="X.X.206.80"

nl6app01="10.1.229.61"
nl6app01_pub="X.X.229.61"

# Unroutable addresses
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

match in all scrub (no-df)

# nat/rdr
match out on $ext_if from !$ext_if to any nat-to $defaultgw

match in quick on $ext_if inet proto tcp from any to $nl6app01_pub port { http, https, ssh } rdr-to $nl6app01
match in quick on $ext_if inet proto tcp from any to $mh0mon01_pub port { http, https } rdr-to $mh0mon01
match in quick on $ext_if inet proto tcp from any to $mh0mon01_pub port ssh rdr-to $mh0mon01

# Block traffic from unroutable addresses on external interface
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
# by default block all incoming traffic
block in all

pass out keep state

anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to 127.0.0.1 port 8021

antispoof quick for { lo $int_if }

# Allow access to mh0mon01
pass in inet proto tcp from any to $mh0mon01 port { http, https } flags S/SA synproxy state
#pass in inet proto tcp from any to $mh0mon01 port ssh flags S/SA synproxy state

pass in inet proto tcp from any to $mh0mon01 port ssh flags S/SA
# Allow traffic for application server
pass in inet proto tcp from any to $nl6app01 port { http, https, ssh } flags S/SA synproxy state
# Allow ssh acccess to firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

#pass in on $ext_if inet proto tcp from any to $mh0mon01 port 80 flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $int_if

# -----------------------------------------------------------------------------
# PFSYNC (between)
# -----------------------------------------------------------------------------
pass quick on $sync_if inet proto pfsync

# -----------------------------------------------------------------------------
# CARP
# -----------------------------------------------------------------------------
pass quick on { $ext_if $int_if } proto carp keep state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
#END
I tried setting /etc/ssh/sshd_config parameters
KeepAlive yes
ClientAliveInterval 30

but it does not help, my ssh sessions are dropped anyway, even when they are not idle. I noticed that it always happens when I change the CARP Master, it did not happen on earler versions of OpenBSD though.

my kernel settings for CARP
Code:
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2
Any idea how to prevent dropping ssh connections ? Any hints welcomed

EDIT

It does not happen when I shut down one of the 2 redundant firewalls. On a single firewall the ssh connection through nat is stable, it can stay up for a few hours. However when I bring the other firewall up it breaks.
Not sure if that has anything to do with these firewalls being hosted on VMWare Vsphere environment. I enabled preemption on the virtual switches, I even created separate port groups for these firewalls, but it did not help.

Thanks

Greg

Last edited by Ladowny; 08-16-2013 at 11:17 AM. Reason: added some new insights
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
make commands keep running after leaving a terminal session or ssh session Danny3031 Programming 18 01-30-2012 11:29 AM
Timeout session moinpasha Linux - Security 3 12-28-2006 10:21 AM
[SOLVED] OpenBSD/courier server connection timeout gypsy_rabbi *BSD 1 12-01-2005 11:28 PM
OpenBSD: ne0: device timeout pickledbeans *BSD 4 07-09-2002 02:30 PM


All times are GMT -5. The time now is 09:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration