Problem with stateful tracking option "override flush" arcaciaboy-101 Sat, 21 Aug 2010 20:04:52 -0700 Hello I have been having a problem trying to use the stateful tracking option "override <TABLE> flush" in OpenBSD 4.7-stable. My system is a i386 GENERIC system, running as a vmware guest under Windows XP. Consider the following ruleset: set skip on lo block drop all block drop quick from <BLACKLIST> to any pass out on egress inet all pass in inet proto tcp from any to (self) port ssh keep state \ (max 20, max-src-conn-rate 2/20, overload <BLACKLIST> flush) My understanding of the pf.conf(5) manual is that if the connection rate is exceeded, the offending source host will be added to the <BLACKLIST> table, and all states created by the matching rule which originate from the offending host will be killed. I tested the ruleset by ssh'ing from the vmware host into the vmware guest (openbsd 4.7). After the 2nd ssh session is logged in, the OpenBSD system will not accept anymore connections (expected behaviour), but the first two sessions remain operational, in other words, the states have not been killed. I've appended the output of "pfctl -ss -vv". The problem I'm seeing is that while IP addresses are in fact added to <BLACKLIST> when the connection rate is exceeded, the flush command has no effect. I tried "flush global" as well, but that made no difference. I also tried "synproxy state" and "modulate state" to no avail. Would someone know if I there is an error in my understanding, in my ruleset, or is this a problem? By the way, I also tried the same ruleset on each stable distribution back to 4.2. I get the behaviour described in the manual on 4.2 and 4.3, but from 4.4 onwards the flush does not seem to have any effect. Kind regards Robert Mills ------------------------------------------- FILTER RULES: @0 block drop all [ Evaluations: 9 Packets: 4 Bytes: 192 States: 0 ] [ Inserted: uid 0 pid 12362 State Creations: 0 ] @1 block drop quick from <BLACKLIST:1> to any [ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12362 State Creations: 0 ] @2 pass out on egress inet all flags S/SA keep state [ Evaluations: 9 Packets: 4 Bytes: 470 States: 0 ] [ Inserted: uid 0 pid 12362 State Creations: 2 ] @3 pass in inet proto tcp from any to (self:2) port = ssh flags S/SA keep state (max 20, source-track rule, max-src-conn-rate 2/20, overload <BLACKLIST> flush, adaptive.start 12, adaptive.end 24, src.track 20) [ Evaluations: 9 Packets: 98 Bytes: 14516 States: 2 ] [ Inserted: uid 0 pid 12362 State Creations: 3 ] No queue in use STATES: all tcp 192.168.9.133:22 <- 192.168.9.1:1184 ESTABLISHED:ESTABLISHED [4060316721 + 65535] [419322259 + 17520] age 00:00:50, expires in 23:59:11, 21:27 pkts, 2933:4301 bytes, rule 3, source-track id: 4c6def3e00000061 creatorid: d3c137f4 all tcp 192.168.9.133:22 <- 192.168.9.1:1189 ESTABLISHED:ESTABLISHED [1683884458 + 65535] [4062748640 + 17520] age 00:00:48, expires in 23:59:13, 21:27 pkts, 2933:4253 bytes, rule 3, source-track id: 4c6def3e00000063 creatorid: d3c137f4 SOURCE TRACKING NODES: 192.168.9.1 ( states 2, connections 2, rate 0.0/20s ) age 00:00:50, 98 pkts, 14516 bytes, rule 3 INFO: Status: Enabled for 0 days 00:00:53 Debug: err Hostid: 0xd3c137f4 Checksum: 0xace54961a7d232676d422b5a8cf754c7 State Table Total Rate current entries 2 searches 529 10.0/s inserts 102 1.9/s removals 100 1.9/s Source Tracking Table current entries 1 searches 3 0.1/s inserts 1 0.0/s removals 0 0.0/s Counters match 108 2.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 1 0.0/s synproxy 0 0.0/s Limit Counters max states per rule 0 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 1 0.0/s overload table insertion 1 0.0/s overload flush states 1 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: --a-r-- BLACKLIST Addresses: 1 Cleared: Fri Aug 20 14:07:29 2010 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 9 Match: 0 ] In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] OS FINGERPRINTS: 696 fingerprints loaded Previous message View by thread View by date Next message Reply via email to Search the site The Mail Archive home pf - all messages pf - about the list Expand Previous message Next message The Mail Archive home Add your mailing list FAQ Support Privacy 823110.53485.qm@web39608.mail.mud.yahoo.com

[arcaciaboy-101]

Hello

I have been having a problem trying to use the stateful tracking
option "override <TABLE> flush" in OpenBSD 4.7-stable. My system is
a i386 GENERIC system, running as a vmware guest under Windows XP.

Consider the following ruleset:

  set skip on lo
  block drop all
  block drop quick from <BLACKLIST> to any
  pass out on egress inet all
  pass in inet proto tcp from any to (self) port ssh keep state \
    (max 20, max-src-conn-rate 2/20, overload <BLACKLIST> flush)

My understanding of the pf.conf(5) manual is that if the connection
rate is exceeded, the offending source host will be added to
the <BLACKLIST> table, and all states created by the matching rule
which originate from the offending host will be killed.

I tested the ruleset by ssh'ing from the vmware host into the vmware
guest (openbsd 4.7). After the 2nd ssh session is logged in, the
OpenBSD system will not accept anymore connections (expected
behaviour), but the first two sessions remain operational, in other
words, the states have not been killed. I've appended the output
of "pfctl -ss -vv".

The problem I'm seeing is that while IP addresses are in fact added
to <BLACKLIST> when the connection rate is exceeded, the flush
command has no effect. I tried "flush global" as well, but that made
no difference. I also tried "synproxy state" and "modulate state" to no avail.

Would someone know if I there is an error in my understanding, in my ruleset, 
or is this a problem?

By the way, I also tried the same ruleset on each stable distribution
back to 4.2.  I get the behaviour described in the manual on 4.2 and
4.3, but from 4.4 onwards the flush does not seem to have any effect.

Kind regards
Robert Mills

-------------------------------------------

FILTER RULES:
@0 block drop all
  [ Evaluations: 9         Packets: 4         Bytes: 192         States: 0     ]
  [ Inserted: uid 0 pid 12362 State Creations: 0     ]
@1 block drop quick from <BLACKLIST:1> to any
  [ Evaluations: 9         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 12362 State Creations: 0     ]
@2 pass out on egress inet all flags S/SA keep state
  [ Evaluations: 9         Packets: 4         Bytes: 470         States: 0     ]
  [ Inserted: uid 0 pid 12362 State Creations: 2     ]
@3 pass in inet proto tcp from any to (self:2) port = ssh flags S/SA keep state 
(max 20, source-track rule, max-src-conn-rate 2/20, overload <BLACKLIST> flush, 
adaptive.start 12, adaptive.end 24, src.track 20)
  [ Evaluations: 9         Packets: 98        Bytes: 14516       States: 2     ]
  [ Inserted: uid 0 pid 12362 State Creations: 3     ]
No queue in use

STATES:
all tcp 192.168.9.133:22 <- 192.168.9.1:1184       ESTABLISHED:ESTABLISHED
   [4060316721 + 65535]  [419322259 + 17520]
   age 00:00:50, expires in 23:59:11, 21:27 pkts, 2933:4301 bytes, rule 3, 
source-track
   id: 4c6def3e00000061 creatorid: d3c137f4
all tcp 192.168.9.133:22 <- 192.168.9.1:1189       ESTABLISHED:ESTABLISHED
   [1683884458 + 65535]  [4062748640 + 17520]
   age 00:00:48, expires in 23:59:13, 21:27 pkts, 2933:4253 bytes, rule 3, 
source-track
   id: 4c6def3e00000063 creatorid: d3c137f4

SOURCE TRACKING NODES:
192.168.9.1 ( states 2, connections 2, rate 0.0/20s )
   age 00:00:50, 98 pkts, 14516 bytes, rule 3

INFO:
Status: Enabled for 0 days 00:00:53              Debug: err

Hostid:   0xd3c137f4
Checksum: 0xace54961a7d232676d422b5a8cf754c7

State Table                          Total             Rate
  current entries                        2               
  searches                             529           10.0/s
  inserts                              102            1.9/s
  removals                             100            1.9/s
Source Tracking Table
  current entries                        1               
  searches                               3            0.1/s
  inserts                                1            0.0/s
  removals                               0            0.0/s
Counters
  match                                108            2.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              1            0.0/s
  synproxy                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      1            0.0/s
  overload table insertion               1            0.0/s
  overload flush states                  1            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

TABLES:
--a-r-- BLACKLIST
        Addresses:   1
        Cleared:     Fri Aug 20 14:07:29 2010
        References:  [ Anchors: 0                  Rules: 2                  ]
        Evaluations: [ NoMatch: 9                  Match: 0                  ]
        In/Block:    [ Packets: 0                  Bytes: 0                  ]
        In/Pass:     [ Packets: 0                  Bytes: 0                  ]
        In/XPass:    [ Packets: 0                  Bytes: 0                  ]
        Out/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
        Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

OS FINGERPRINTS:
696 fingerprints loaded