Date: Mon, 13 Apr 2009 22:42:08 +0100 From: Peter Maxwell <peter@allicient.co.uk> To: freebsd-pf@freebsd.org Subject: Re: max-src-conn issue Message-ID: <7731938b0904131442q4a6ff305x2cd78e584abf4477@mail.gmail.com> In-Reply-To: <49E39547.201@citrin.ru> References: <49E39547.201@citrin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Yuzhaninov, Interestingly enough, I checked the pf.conf man page for max-src-conn: "For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforc= ed per source IP. max-src-conn <number> Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate <number> / <seconds> Limit the rate of new connections over a time interval. The con= - nection rate is an approximation calculated as a moving average.= " which does indicate that only completed handshakes are counted towards max-src-conn; it doesn't however say anything about the initial SYN packet - essentially it seems undefined. You might be able to get a better answer by looking at the source, or asking someone who knows more than me ;-) Have you tried the rules without the 'quick' keyword, I know it's probably down to personal taste but I've always found using 'quick' unless its absolutely essential (and that's not often at all) can cause unexpected difficulties. I don't think this is necessarily a problem either, as I think FreeBSD comes out of the box with protection against SYN floods - again perhaps someone more knowledgeable can expand on this. Best wishes, Peter 2009/4/13 Anton Yuzhaninov <citrin@citrin.ru>: > Hi All. > > It seems to be, that max-src-conn is broken under FreeBSD, and not useful= to > limit incoming connections. > > 1. I have added 2 rules: > > $ pfctl -s rule > pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D ssh f= lags > S/SA keep state (source-track rule, max-src-conn 3) > block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D= ssh > > 2. Open 3 ssh connections: > > $ pfctl -s state > all tcp 81.19.90.176:22 <- 81.19.90.156:47767 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47768 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47769 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > > $ netstat -n -p tcp > Active Internet connections > Proto Recv-Q Send-Q =A0Local Address =A0 =A0 =A0 =A0 =A0Foreign Address = =A0 =A0 =A0 (state) > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47769 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47768 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47767 > ESTABLISHED > > 3. When I tried to open one more connections packets matched by first rul= e > was passed, bat state was not created. > > $ pfctl -z > > On remote host: > ssh 81.19.90.176 > > $ pfctl -v -s rule > pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D ssh f= lags > S/SA keep state (source-track rule, max-src-conn 3) > =A0[ Evaluations: 752 =A0 =A0 =A0 Packets: 2 =A0 =A0 =A0 =A0 Bytes: 120 = =A0 =A0 =A0 =A0 States: 3 > =A0 ] > =A0[ Inserted: uid 0 pid 98818 ] > block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D= ssh > =A0[ Evaluations: 2 =A0 =A0 =A0 =A0 Packets: 2 =A0 =A0 =A0 =A0 Bytes: 128= =A0 =A0 =A0 =A0 States: 0 > =A0 ] > =A0[ Inserted: uid 0 pid 98818 ] > $ pfctl -s state > all tcp 81.19.90.176:22 <- 81.19.90.156:47767 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47768 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > all tcp 81.19.90.176:22 <- 81.19.90.156:47769 =A0 =A0 =A0 ESTABLISHED:EST= ABLISHED > $ netstat -np tcp > Active Internet connections > Proto Recv-Q Send-Q =A0Local Address =A0 =A0 =A0 =A0 =A0Foreign Address = =A0 =A0 =A0 (state) > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.48149 =A0 =A0 SYN_RCVD > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47769 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47768 > ESTABLISHED > tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1= 56.47767 > ESTABLISHED > > New state not created, but packets matched first rule is passed, while > should be dropped. > > Because of this new half-open connection is created (in SYN_RCVD state). > > This makes max-src-conn not very useful under FreeBSD - bad guys can eat = as > many sockets as they want on attacked host, even when number of connectio= ns > is limited by pf. > > $ uname -psv > FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr =A08 05:31:05 MSD 2009 > citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC =A0amd64 > > I have tested same rules on OpenBSD 4.4 - they works as expected - when > limit reached, packets matched by first rule dropped, and new state not > created. > > -- > =A0Anton Yuzhaninov > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0904131442q4a6ff305x2cd78e584abf4477>