Re: Does pf's Sources table ever get cleared?

Wed, 02 Aug 2017 03:24:37 -0700 

There does seem to be a timer that is set to expire, but it does not
seem to work:

# pfctl -s Sources -vv
...
a.b.c.d ( states 0, connections 0, rate 0.0/0s )
   age 11:41:50, expires in 00:00:00, 33 pkts, 11524 bytes, rule 582
e.f.g.h ( states 0, connections 0, rate 0.0/0s )
   age 12:24:25, expires in 00:00:00, 320 pkts, 110512 bytes, rule 582
i.j.k.l ( states 0, connections 0, rate 0.0/0s )
   age 10:03:11, expires in 00:00:00, 2 pkts, 80 bytes, rule 591
m.n.o.p ( states 0, connections 0, rate 0.0/0s )
   age 10:55:49, expires in 00:00:00, 2 pkts, 80 bytes, rule 591

Could this be a bug?

best markus


On 01.08.2017 17:34, Markus Wernig wrote:
> Hi all
> 
> I have a pair of OBSD 6.1 firewalls, on which some rules require source
> tracking, i.e. have a max-src-conn or similar statement as in:
> 
> pass  log  quick on { em0 vlan1 } inet proto tcp  from any  to
> <webservers> port { 80, 443 } modulate state ( max-src-conn 50,
> max-src-conn-rate 25/5, overload <flooders> flush global )
> 
> This works perfectly, any hosts that surpass that limit get blocked.
> 
> But on the other hand, the Sources table (as seen with pfctl -s Sources)
> keeps growing. With every allowed connection, there are two new entries.
> And it seems that the Sources table expands in one direction only. I.e.
> even long after the relative connection has been flushed from the state
> table, there are still the entries in the Sources table.
> 
> No matter what happens, the Sources keep expanding until the src-nodes
> hard limit is reached. At which point only a reboot will help.
> 
> I've tried to flush them with pfctl -F Sources, but without success:
> 
> wall0101 # pfctl -s Sources | wc -l
>      512
> wall0101 # pfctl -F Sources
> source tracking entries cleared
> wall0101 # pfctl -s Sources | wc -l
>      514
> 
> Is there any reason (presumably in my ruleset, but didn't find it) that
> would keep entries in the Sources table from being cleared?
> Shouldn't the tracking entries be removed when the corresponding states
> are flushed and shouldn't pfctl -F Sources clear the Sources table?
> 
> Thx /markus
>

Reply via email to