Re: pf freezing with MS remote desktop

Wed, 17 Jan 2007 23:06:02 -0800 

Peter Matulis wrote:
I am using OBSD 3.8 as a firewall for a small office and I have an XP user that connects to a remote host via MS Remote Desktop (TCP 3389). 


Occasionally, this user complains that her connection is severed and 
that afterwards she can no longer reconnect.  (She has taken the bad 
habit, of which I have recently became aware, of goig into the next 
room and cold booting the machine; which solves the problem.)  So far, 
this appears to be a random occurence.
  

I have a feeling it's not so random. It's probably related to when the 
connection has been left idle for an extended period of time.



FWIW: I've seen this problem with waaaay more than just OpenBSD pf 
firewalls though, so it doesn't seem to be a pf thing per se IMHO. 
(Irritating in either case, but not pf's fault, really.)

I have a fairly beefy system that is a dedicated firewall: 1 GHz intel 
CPU with 128 MB of RAM.  The network interfaces: rl and ste.



I do not have any logs yet to help diagnose the problem.  I was 
wondering that maybe others have experienced the same issue or whether 
people have some ideas on how to troubleshoot.
  

The quick-and-easy answer is:


1.) For you to add an rdr rule for ICMP to that machine from (at least) 
her IP. (This allows the remote pinging of _that_ machine through the 
firewall, thus maintaining state with the RDP client.)
2.) From a DOS prompt have her open a 'ping -t   rdp.ip.goes.here' to 
recursively ping the Windows RDP machine whilst she's connected. (You 
can even do this through an automagic log-on script for her if you'd like.)



Not particularly elegant, but it *should* easily solve the problem with 
super, super minimal effort. (I've used it in the past, keeping 
connections open quite literally over a weekend when I've had to run 
silly software that wouldn't run unless someone was logged in with a 
desktop, so I'm sure this does the trick.)



Alternately, you could also selectively crank up your timeouts and such 
in pf.conf for that remote ip/port combination. This would keep the 
state from timing out when there's no activity on the link to that IP/port.



N.B. It's also trivially easy to reset a TS/RDP connection via MSSQL 
*if* the machine has SQL Server installed.


Good luck,
Allen

--
http://www.memetrics.com -
Multivariate testing with Memetrics xOs.
Landing page optimization, design & consulting.























					Reply via email to