Hello Anton, On Monday 13 April 2009 21:40:55 Anton Yuzhaninov wrote: > It seems to be, that max-src-conn is broken under FreeBSD, and not useful > to limit incoming connections. >... > New state not created, but packets matched first rule is passed, while > should be dropped. > > Because of this new half-open connection is created (in SYN_RCVD state). > > This makes max-src-conn not very useful under FreeBSD - bad guys can eat as > many sockets as they want on attacked host, even when number of connections > is limited by pf. > > $ uname -psv > > FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 > [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 > > I have tested same rules on OpenBSD 4.4 - they works as expected - when > limit reached, packets matched by first rule dropped, and new state not > created.
This is indeed a problem in FreeBSD. A workaround solution is to use "synproxy state" instead of a simple "keep state" - this way the connection won't make it through to the final destination and is blocked at the firewall. The fix is a bit intrusive, but I might get to it - could you submit a PR with your analysis, please? Possibly add if the "synproxy state" workaround fixes things for you. -- /"\ Best regards, | [email protected] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mla...@efnet / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
