[pfSense Support] BGP routes vanish after 60 seconds

[Adam Thompson]

I timed it, and following “bgpctl fib couple”, the routes get inserted into the 
kernel’s routing table for exactly 60 seconds, then they all disappear again.

I have the BGP holdtime set to 65535 seconds, is there a way to find out what 
my peer has negotiated with me?  (I’m not seeing it under bgpctl show 
neighbours, maybe I’m missing something?)  Would that even affect my kernel 
routing table?

Another oddity I noticed is that when running “netstat –rn –f inet” while the 
routes were being populated, I saw a number (at least 10%, not sure exactly) 
where the expiry column contained “=>”.  I can’t find any documentation in 
FreeBSD about what that might mean.

(Yes, I can go look at the source but without any knowledge of BSD networking 
innards [except a bit of IPv6, since I attended that session at BSDCan’10] I 
don’t even know what I’m looking for.  The netstat manpage is unhelpful on this 
subject.)


-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

Re: [pfSense Support] Maximum New Connections Per Second

[David Newman]

On 6/18/10 1:58 PM, Code Ghar wrote:
> You both are right that VoIP is a very broad term. So let me clarify. I
> am running Asterisk behind pfSense with multiple endpoints, such as ATAs
> and softphones, registering to this Asterisk server. Then I have some
> trunks with carriers and such. On the carrier side I am not too worried
> because I know their IPs and can create rules to allow traffic from them
> unhindered. However, on the other side are registered endpoints, for
> which there is not definitive IP. Users could plug it in their home,
> office, hotel, etc. Then there are some malicious users who try to brute
> force their way into the Asterisk server sending a flood of registration
> attempts. To allow legitimate use and to mitigate fraudulent
> registrations, one way would be to have a reasonable upper limit to
> connections per second. This way unusually large attempts can be blocked
> at the firewall level instead of letting Asterisk deal with it.
> 
> In this scenario if I set, say 5 max connections per second, then from
> one IP there can be 5 different states. In this case if a malicious user
> sends 6 registration attempts in one second then the first five would be
> allowed and the sixth would be dropped.
> 
> On the flip side, if a legitimate user has two SIP endpoints coming from
> the same IP, then they can still establish two calls, one from each
> endpoint, as there would be four states: in and out for both endpoints.
> This still leaves a third connection or state for some breathing space.
> 
> Did I understand this correctly?

Yes. My experience with the rate-limiting stuff is that pf can take a
little while (seconds) to recognize and respond to brute-force  attacks.
This may be due to high attack rates or less-than-studly hardware or
both. Either way, blocking might not be instantaneous, but ultimately
pfSense will drop further connection attempts.

dn


> 
> 
> On Fri, Jun 18, 2010 at 3:33 PM, Chris Buechler  > wrote:
> 
> On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar  > wrote:
> > In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
> > Connections / Per Second". It says that "Any IP address exceeding that
> > number of connections within the given time frame will be blocked
> for one
> > hour." When using VoIP, which uses UDP, if one IP sends calls to
> your VoIP
> > switch with pfSense in the middle, there's one state established.
> Within
> > that state if that same IP sends, say 5 messages in a second, are
> these
> > messages considered 5 connections in one state or 1 connection in
> one state?
> 
> With the typical SIP, one connection is one state, regardless of how
> many packets come over that state, it's one connection. If there are
> 50 SIP phones NATed to one public IP connecting to you, that's going
> to be 50 simultaneous SIP connections, plus RTP for calls. In cases
> like an Internet outage at that location, you'll see a bunch of
> connections opened quickly.
> 
> That could more accurately read "Maximum new states / per second".
> 
> As David noted, with a wide variety of things that "VoIP" can cover,
> it's hard to say. Generally you have up to two connections/states per
> SIP endpoint.
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> 
> For additional commands, e-mail: support-h...@pfsense.com
> 
> 
> Commercial support available - https://portal.pfsense.org
> 
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Maximum New Connections Per Second

[Code Ghar]

You both are right that VoIP is a very broad term. So let me clarify. I am
running Asterisk behind pfSense with multiple endpoints, such as ATAs and
softphones, registering to this Asterisk server. Then I have some trunks
with carriers and such. On the carrier side I am not too worried because I
know their IPs and can create rules to allow traffic from them unhindered.
However, on the other side are registered endpoints, for which there is not
definitive IP. Users could plug it in their home, office, hotel, etc. Then
there are some malicious users who try to brute force their way into the
Asterisk server sending a flood of registration attempts. To allow
legitimate use and to mitigate fraudulent registrations, one way would be to
have a reasonable upper limit to connections per second. This way unusually
large attempts can be blocked at the firewall level instead of letting
Asterisk deal with it.

In this scenario if I set, say 5 max connections per second, then from one
IP there can be 5 different states. In this case if a malicious user sends 6
registration attempts in one second then the first five would be allowed and
the sixth would be dropped.

On the flip side, if a legitimate user has two SIP endpoints coming from the
same IP, then they can still establish two calls, one from each endpoint, as
there would be four states: in and out for both endpoints. This still leaves
a third connection or state for some breathing space.

Did I understand this correctly?


On Fri, Jun 18, 2010 at 3:33 PM, Chris Buechler  wrote:

> On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar  wrote:
> > In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
> > Connections / Per Second". It says that "Any IP address exceeding that
> > number of connections within the given time frame will be blocked for one
> > hour." When using VoIP, which uses UDP, if one IP sends calls to your
> VoIP
> > switch with pfSense in the middle, there's one state established. Within
> > that state if that same IP sends, say 5 messages in a second, are these
> > messages considered 5 connections in one state or 1 connection in one
> state?
>
> With the typical SIP, one connection is one state, regardless of how
> many packets come over that state, it's one connection. If there are
> 50 SIP phones NATed to one public IP connecting to you, that's going
> to be 50 simultaneous SIP connections, plus RTP for calls. In cases
> like an Internet outage at that location, you'll see a bunch of
> connections opened quickly.
>
> That could more accurately read "Maximum new states / per second".
>
> As David noted, with a wide variety of things that "VoIP" can cover,
> it's hard to say. Generally you have up to two connections/states per
> SIP endpoint.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

Re: [pfSense Support] Maximum New Connections Per Second

[Chris Buechler]

On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar  wrote:
> In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
> Connections / Per Second". It says that "Any IP address exceeding that
> number of connections within the given time frame will be blocked for one
> hour." When using VoIP, which uses UDP, if one IP sends calls to your VoIP
> switch with pfSense in the middle, there's one state established. Within
> that state if that same IP sends, say 5 messages in a second, are these
> messages considered 5 connections in one state or 1 connection in one state?

With the typical SIP, one connection is one state, regardless of how
many packets come over that state, it's one connection. If there are
50 SIP phones NATed to one public IP connecting to you, that's going
to be 50 simultaneous SIP connections, plus RTP for calls. In cases
like an Internet outage at that location, you'll see a bunch of
connections opened quickly.

That could more accurately read "Maximum new states / per second".

As David noted, with a wide variety of things that "VoIP" can cover,
it's hard to say. Generally you have up to two connections/states per
SIP endpoint.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Maximum New Connections Per Second

[David Newman]

On 6/18/10 1:08 PM, Code Ghar wrote:
> In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
> Connections / Per Second". It says that "Any IP address exceeding that
> number of connections within the given time frame will be blocked for
> one hour." When using VoIP, which uses UDP, if one IP sends calls to
> your VoIP switch with pfSense in the middle, there's one state
> established. Within that state if that same IP sends, say 5 messages in
> a second, are these messages considered 5 connections in one state or 1
> connection in one state? My aim is to restrict UDP connections per
> second from all IPs in a rule.

The most common case with VoIP traffic is that you have at least two
streams, one apiece for signaling and media traffic.* The signaling
stream typically uses a well-known port (i.e., 5060 for SIP) and the
media traffic (often RTP/RTSP) uses some random port.

There are some sample VoIP captures here:

http://techtraces.com/sample_captures/

dn

*Caveat: "VoIP" is a very broad term, covering lots of different
signaling and media transport methods. The example I gave above is a
simple and very commonly used case, but there are lots of others.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Maximum New Connections Per Second

[Code Ghar]

In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
Connections / Per Second". It says that "Any IP address exceeding that
number of connections within the given time frame will be blocked for one
hour." When using VoIP, which uses UDP, if one IP sends calls to your VoIP
switch with pfSense in the middle, there's one state established. Within
that state if that same IP sends, say 5 messages in a second, are these
messages considered 5 connections in one state or 1 connection in one state?
My aim is to restrict UDP connections per second from all IPs in a rule.

Re: [pfSense Support] Bandwdith usage since start of month?

[Jim Pingle]

On 6/18/2010 1:40 PM, Adam Thompson wrote:
>> It wouldn't be too difficult to add this to the GUI if we can
>> confirm
>> that the results are indeed accurate.
> 
> 
> Well, I can tell you that the numbers returned matched up exactly with what 
> my ISP wants to bill me for :-)

That's certainly a good measure :-)

We'd just need to put a big fat disclaimer on the total that says it's
not 100% accurate, especially if the RRD data is incomplete for the time
period.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

> -Original Message-
> From: Jim Pingle [mailto:li...@pingle.org]
> Sent: Friday, June 18, 2010 12:37 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Bandwdith usage since start of
> month?
> 
> It wouldn't be too difficult to add this to the GUI if we can
> confirm
> that the results are indeed accurate.


Well, I can tell you that the numbers returned matched up exactly with what my 
ISP wants to bill me for :-)


-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

Re: [pfSense Support] Bandwdith usage since start of month?

[Jim Pingle]

On 6/18/2010 1:28 PM, Adam Thompson wrote:
> Thank you very much!  I never know how to extract the raw data from rrdlogs, 
> now I know it's actually not that hard.
> 
> (BTW: the AWK is fine, although you can omit the cut(1) stage in the pipe 
> simply by having awk add up $2 and $3 instead of $1 and $2.)

And for my next trick, this one works in whatever month you run it:

rrdtool fetch /var/db/rrd/wan-traffic.rrd AVERAGE -r 3600 -s "00 `date
'+%m/01/%Y'`" -e now | grep -v nan | awk '{ sum1 += $2/(1024*1024); sum2
+= $3/(1024*1024) } END { printf "IN: %u Mbytes OUT: %u Mbytes\n",
sum1*3600, sum2*3600; }'

Thanks for the reminder, re: cut/awk.

It wouldn't be too difficult to add this to the GUI if we can confirm
that the results are indeed accurate.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

Thank you very much!  I never know how to extract the raw data from rrdlogs, 
now I know it's actually not that hard.

(BTW: the AWK is fine, although you can omit the cut(1) stage in the pipe 
simply by having awk add up $2 and $3 instead of $1 and $2.)

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291


-Original Message-
From: Jim Pingle [mailto:li...@pingle.org] 
Sent: June-18-10 12:23 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Bandwdith usage since start of month?

On 6/18/2010 12:04 PM, Adam Thompson wrote:
> Is there a way to get this information?

Try this command at the CLI, do the values look right when compared to
the graph? My awk-fu isn't that good, there's probably a better way to
do this:

(This should all be one single line)

rrdtool fetch /var/db/rrd/wan-traffic.rrd AVERAGE -r 3600 -s '00:00
06/01/2010' -e now | grep -v nan | cut -f2 -d':' | awk '{ sum1 +=
$1/(1024*1024); sum2 += $2/(1024*1024) } END { printf "IN: %u Mbytes
OUT: %u Mbytes\n", sum1*3600, sum2*3600; }'

I had to use Mbytes since using bytes made awk roll overflow its integer
type :-)

If you have more than one WAN, you can repeat that with
opt1-traffic.rrd, etc.

Jim

Re: [pfSense Support] Bandwdith usage since start of month?

[Jim Pingle]

On 6/18/2010 12:04 PM, Adam Thompson wrote:
> Is there a way to get this information?

Try this command at the CLI, do the values look right when compared to
the graph? My awk-fu isn't that good, there's probably a better way to
do this:

(This should all be one single line)

rrdtool fetch /var/db/rrd/wan-traffic.rrd AVERAGE -r 3600 -s '00:00
06/01/2010' -e now | grep -v nan | cut -f2 -d':' | awk '{ sum1 +=
$1/(1024*1024); sum2 += $2/(1024*1024) } END { printf "IN: %u Mbytes
OUT: %u Mbytes\n", sum1*3600, sum2*3600; }'

I had to use Mbytes since using bytes made awk roll overflow its integer
type :-)

If you have more than one WAN, you can repeat that with
opt1-traffic.rrd, etc.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Bandwdith usage since start of month?

[Nenhum_de_Nos]

On Fri, June 18, 2010 13:32, David Burgess wrote:
> On Fri, Jun 18, 2010 at 10:20 AM, Nenhum_de_Nos
>  wrote:
>
>> vnstat does that. but not for past time (before it is installed).
>
> Anybody know if vnstat is compact flash friendly? I'm using the
> nanobsd image since burning out one CF already, and this vnstat sounds
> handy.

I can't say for sure, as I run on microdrives. but it uses damn small
files on its /var/db/vnstat dir ...

matheus

-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Bandwdith usage since start of month?

[David Burgess]

On Fri, Jun 18, 2010 at 10:20 AM, Nenhum_de_Nos
 wrote:

> vnstat does that. but not for past time (before it is installed).

Anybody know if vnstat is compact flash friendly? I'm using the
nanobsd image since burning out one CF already, and this vnstat sounds
handy.

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Bandwdith usage since start of month?

[Ian Bowers]

darkstat will give you a rolling month, but I'm not sure what would
conveniently do traffic since the start of a given month.

On Fri, Jun 18, 2010 at 12:04 PM, Adam Thompson  wrote:
> I’m trying to determine how much traffic I’ve transferred since the first of
> the month; the RRD graphs let me see the last month’s worth of traffic but I
> can’t see any way to specify custom ranges.
>
>
>
> I vaguely remember seeing a package that let me select specific ranges on
> those graphs but I can’t find it now (and I might be remembering something
> else altogether – who knows).
>
>
>
> Is there a way to get this information?
>
>
>
> Thanks,
>
>
>
> -Adam Thompson
>
>  Chief Technical Architect, C3A Inc.
>
>  athom...@c3a.ca
>
>  (204) 272-9628 / fax: (204) 272-8291
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Bandwdith usage since start of month?

[Nenhum_de_Nos]

On Fri, June 18, 2010 13:04, Adam Thompson wrote:
> I'm trying to determine how much traffic I've transferred since the first
> of the month; the RRD graphs let me see the last month's worth of traffic
> but I can't see any way to specify custom ranges.
>
> I vaguely remember seeing a package that let me select specific ranges on
> those graphs but I can't find it now (and I might be remembering something
> else altogether - who knows).
>
> Is there a way to get this information?
>
> Thanks,

vnstat does that. but not for past time (before it is installed).

matheus

-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

I'm trying to determine how much traffic I've transferred since the first of 
the month; the RRD graphs let me see the last month's worth of traffic but I 
can't see any way to specify custom ranges.

I vaguely remember seeing a package that let me select specific ranges on those 
graphs but I can't find it now (and I might be remembering something else 
altogether - who knows).

Is there a way to get this information?

Thanks,

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

Re: [pfSense Support] IAX trunk after isp lost connection

[Lyle Giese]

belkhiria aymen wrote:
> Hi,
> I use pfsense version 1.2,
> I mean that 
> pfSense * does not re-register on the remote * after the all mess
>
>
> On Thu, Jun 17, 2010 at 7:01 PM, st41ker  > wrote:
>
> On 17/06/2010 20:18, belkhiria aymen wrote:
> > Hi,
> >
> > I have asterisk under pfsense and IAX Trunk with another asterisk
> > when connection lost with my isp the iax trunk is become
> > UNREACHABLE and to actualize i reset connection in pfsense.
> >
> > any help?
> >
> > -- Belkhiria Aymen Ingénieur en Informatique
>
> Hello Belkhiria,
>
> Which pfSense version do you use?
>
> Do you mean that your internet connection does not auto reconnect or
> your pfSense * does not re-register on the remote * after the all
> mess?
>
>
>
>
> -- 
> Belkhiria Aymen
> Ingénieur en Informatique
One other thing to remember is that Asterisk does not tolerate the lose
of DNS resolution.  It will drop connections and get confused.  But *
should recover after the restoration of connectivity to the ISP.  Unless
you have a buggy version of *.

Lyle Giese
LCR Computer Services, Inc.

Re: [pfSense Support] IAX trunk after isp lost connection

[belkhiria aymen]

Hi,
I use pfsense version 1.2,
I mean that
pfSense * does not re-register on the remote * after the all mess


On Thu, Jun 17, 2010 at 7:01 PM, st41ker  wrote:

>  On 17/06/2010 20:18, belkhiria aymen wrote:
> > Hi,
> >
> > I have asterisk under pfsense and IAX Trunk with another asterisk
> > when connection lost with my isp the iax trunk is become
> > UNREACHABLE and to actualize i reset connection in pfsense.
> >
> > any help?
> >
> > -- Belkhiria Aymen Ingénieur en Informatique
>
> Hello Belkhiria,
>
> Which pfSense version do you use?
>
> Do you mean that your internet connection does not auto reconnect or
> your pfSense * does not re-register on the remote * after the all mess?
>
>


-- 
Belkhiria Aymen
Ingénieur en Informatique