On Fri, 21 Feb 2003, Glen MacAfee wrote: > IPsExt = "xx.xx.xx.0/24"
First, please always filter out real address information on public lists. While we're all here to help, that doesn't stop folks who have bad motives from getting this off the archives. > # Part 2 -- Options > #set limit { states 2000, frags 2000 } > #set loginterface $IfExt > # Will changing the line below from aggressive to normal help? > set optimization aggressive > #set timeout { tcp.opening 6, tcp.closing 6 } > #set timeout tcp.closing 300, other.first 100 Ok, you've set aggressive timeouts with the "aggressive" option, but you aren't limiting your states or frags. Knowing you're only running 48MB of RAM, it's not unreasonable to assume you're running out of memory. You need to determine how much free RAM you have (excluding PF states), then limit states based on that amount. The calculation is roughly 1k states == 1MB RAM. > # Part 4 -- Packet Filter Rules > #External bridge interface rules -- allow all in, filter on internal > # In bridge mode, we only filter on one interface. > pass in quick on $IfExt all > pass out quick on $IfExt all Ok, you need to study the PF documentation (FAQ, manpages, howto, etc). PF is a "last rule matches" firewall. HOWEVER, you've already put in the "quick" option on your first 2 rules... pass in and pass out. You're letting EVERYTHING through your firewall. You're effectively running nothing but a bridge... all the rules that follow are ignored by the match engine, thanks to those 2 quick rules. > block in log on $IfInt all And this is the last rule in your set. Provided you had NO quick options in all the preceding rules, you would have just blocked EVERYTHING inbound from your internal network. But even that's irrelevant at this point... you're only supposed to filter in ONE direction on a bridge. *sigh* Try the following ruleset. Note that the $IPsExt needs to be defined, and you'll probably want to redefine $fw_services (stuff allowed into your firewall/bridge host), $udp_allowed (udp traffic allowed into your internal hosts), and $tcp_allowed (tcp traffic allowed into your internal hosts). ALSO NOTE that $udp_allowed and $tcp_allowed are only defined to allow incoming traffic initiated from the outside... stuff you are running internal servers for, IOW. You do NOT need to allow UDP/DNS traffic explicitly just for your internal hosts' resolution... that is allowed and tracked by the outgoing UDP state rule. The "modulate state" option in the TCP section is only necessary if you need to protect hosts with weak TCP implementations. If you're running primarily Linux 2.4 and OpenBSD hosts, you only need to "keep state". Otherwise, and particularly if you're running Windows hosts, go ahead and use "modulate state". Please take some time to study this ruleset and learn what and why it does what it does. Reference the manpages to clarify what an option means. And for the LOVE OF GOD, please unplug this box from the internet ASAP until you get the ruleset fixed... you're running a wide-open bridge. :) -J. # Macros IfExt="fxp0" # Change the following network address to suit your needs IPsExt="xxx.xxx.xxx.0/24" # Define the following sample services fw_services="{ ssh }" udp_allowed="{ }" tcp_allowed="{ http, smtp, https, ssh }" # Stuff that shouldn't cross our network bad_blocks="{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23, 224.0.0.0/3 }" # Options set limit { states 16000, frags 8000 } set loginterface $IfExt set optimization aggressive # Packet Normalization scrub in all # Default block block out log on $IfExt all block in log on $IfExt all block return-rst out log on $IfExt proto tcp all block return-rst in log on $IfExt proto tcp all block return-icmp out log on $IfExt proto udp all block return-icmp in log on $IfExt proto udp all # Block unwanted block in quick on $IfExt from 255.255.255.255/32 to any block in quick on $IfExt from any to 255.255.255.255/32 block in quick on $IfExt from $bad_blocks to any block in quick on $IfExt from any to $bad_blocks # Allow certain icmp connections pass out on $IfExt inet proto icmp all keep state pass in on $IfExt inet proto icmp all icmp-type 8 code 0 keep state # Allow certain udp connections pass out on $IfExt proto udp all keep state pass in on $IfExt proto udp from any to any port $udp_allowed keep state # Allow certain tcp connections pass out on $IfExt proto tcp all modulate state pass in on $IfExt inet proto tcp from any to ($IfExt) port $fw_services flags S/SA keep state pass in on $IfExt proto tcp from any to any port $tcp_allowed flags S/SA modulate state > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Wouter Clarie > Sent: Saturday, February 22, 2003 04:21 > To: [EMAIL PROTECTED] > Subject: Re: PF related crash? > > > > On Fri, 21 Feb 2003, Glen MacAfee wrote: > > > I'm getting crashes whenever I put a heavy load on the fw/bridge that I > have > > setup. I'm not sure if the issue is memory or otherwise--my guess is it's > > PF-related; is there any way to be sure? > > > I'm running OBSD 3.2 on an NEC PowerMate V166e (Pentium 166) with 48MB > RAM, > > 2 Intel Pro/100 (S?) NICs. Any suggestions? > > Yes: post dmesg, ruleset, crash trace & ps,... What you gave us now is not > sufficient. > > >