Timeline for Should changing firewall settings to block all interrupt ongoing ssh session
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 8, 2022 at 4:01 | comment | added | ahron | Good point, enabling and disabling was interfering with the states. I tried again differently by simply loading a new ruleset with a timer to roll back. The behavior is consistent with what you wrote. When I clear the states (while the timer is on) after switching rulesets, then the session hangs. Thanks so much! Good demo of statefulness. | |
| Aug 7, 2022 at 21:49 | history | edited | thrig | CC BY-SA 4.0 |
Clarify the block-everything ruleset, to better avoid folks blindly copying that.
|
| Aug 7, 2022 at 21:25 | comment | added | thrig |
Why are you disabling the firewall, instead of just reloading the rules with pfctl -f /etc/pf.conf?
|
|
| Aug 7, 2022 at 21:04 | comment | added | ahron |
I try clearing out the states but it is the same behavior. Going to bed now, will check further tomorrow. The commands I am using is just a simple script - pfctl -d then pfctl -e -f /etc/pf.conf then sleep 30 and finally pfctl -d
|
|
| Aug 7, 2022 at 20:59 | comment | added | ahron |
So earlier I was playing with just two lines block in quick all and pass in proto tcp to port 22. When I run this the current session hangs, and resumes after the sleep timer. Then I removed the quick in the first line and the session kept working. Now I copy pasted your 3 lines. There is no difference between the bevavior with your 1st and 2nd set of statements. The connection hangs everytime and at timeout there's an error message client_loop: send disconnect: Broken pipe. Now even my 2 sets of statements behave the exact same way. I have not changed my sshd config in the interim.
|
|
| Aug 7, 2022 at 20:36 | vote | accept | ahron | ||
| Aug 7, 2022 at 20:18 | comment | added | thrig |
@dakini show your rules, and what you changed, and what commands you used. I do not see that behavior setting block quick all while also having the modulate state rules for inbound SSH and outbound TCP connections.
|
|
| Aug 7, 2022 at 20:15 | history | edited | thrig | CC BY-SA 4.0 |
elaborations
|
| Aug 7, 2022 at 20:03 | comment | added | ahron |
As @ilkkachu quoted from the man page, if the packet matches an existing state, they it is passed through without any further evaluation of any rules. Then why does having a block quick all hang the existing connection? That implies the block rule actually is evaluated and applied for the stateful packets of the current ssh connection... Let's assume there's no aggressive pruning or optimization.
|
|
| Aug 7, 2022 at 19:26 | history | answered | thrig | CC BY-SA 4.0 |