Date: Mon, 13 Apr 2009 22:42:08 +0100 From: Peter Maxwell <peter@allicient.co.uk> To: freebsd-pf@freebsd.org Subject: Re: max-src-conn issue Message-ID: <7731938b0904131442q4a6ff305x2cd78e584abf4477@mail.gmail.com> In-Reply-To: <49E39547.201@citrin.ru> References: <49E39547.201@citrin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Yuzhaninov,
Interestingly enough, I checked the pf.conf man page for max-src-conn:
"For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforc=
ed
per source IP.
max-src-conn <number>
Limits the maximum number of simultaneous TCP connections which
have completed the 3-way handshake that a single host can make.
max-src-conn-rate <number> / <seconds>
Limit the rate of new connections over a time interval. The con=
-
nection rate is an approximation calculated as a moving average.=
"
which does indicate that only completed handshakes are counted towards
max-src-conn; it doesn't however say anything about the initial SYN
packet - essentially it seems undefined. You might be able to get a
better answer by looking at the source, or asking someone who knows
more than me ;-)
Have you tried the rules without the 'quick' keyword, I know it's
probably down to personal taste but I've always found using 'quick'
unless its absolutely essential (and that's not often at all) can
cause unexpected difficulties.
I don't think this is necessarily a problem either, as I think FreeBSD
comes out of the box with protection against SYN floods - again
perhaps someone more knowledgeable can expand on this.
Best wishes,
Peter
2009/4/13 Anton Yuzhaninov <citrin@citrin.ru>:
> Hi All.
>
> It seems to be, that max-src-conn is broken under FreeBSD, and not useful=
to
> limit incoming connections.
>
> 1. I have added 2 rules:
>
> $ pfctl -s rule
> pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D ssh f=
lags
> S/SA keep state (source-track rule, max-src-conn 3)
> block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D=
ssh
>
> 2. Open 3 ssh connections:
>
> $ pfctl -s state
> all tcp 81.19.90.176:22 <- 81.19.90.156:47767 =A0 =A0 =A0 ESTABLISHED:EST=
ABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47768 =A0 =A0 =A0 ESTABLISHED:EST=
ABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47769 =A0 =A0 =A0 ESTABLISHED:EST=
ABLISHED
>
> $ netstat -n -p tcp
> Active Internet connections
> Proto Recv-Q Send-Q =A0Local Address =A0 =A0 =A0 =A0 =A0Foreign Address =
=A0 =A0 =A0 (state)
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.47769
> ESTABLISHED
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.47768
> ESTABLISHED
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.47767
> ESTABLISHED
>
> 3. When I tried to open one more connections packets matched by first rul=
e
> was passed, bat state was not created.
>
> $ pfctl -z
>
> On remote host:
> ssh 81.19.90.176
>
> $ pfctl -v -s rule
> pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D ssh f=
lags
> S/SA keep state (source-track rule, max-src-conn 3)
> =A0[ Evaluations: 752 =A0 =A0 =A0 Packets: 2 =A0 =A0 =A0 =A0 Bytes: 120 =
=A0 =A0 =A0 =A0 States: 3
> =A0 ]
> =A0[ Inserted: uid 0 pid 98818 ]
> block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port =3D=
ssh
> =A0[ Evaluations: 2 =A0 =A0 =A0 =A0 Packets: 2 =A0 =A0 =A0 =A0 Bytes: 128=
=A0 =A0 =A0 =A0 States: 0
> =A0 ]
> =A0[ Inserted: uid 0 pid 98818 ]
> $ pfctl -s state
> all tcp 81.19.90.176:22 <- 81.19.90.156:47767 =A0 =A0 =A0 ESTABLISHED:EST=
ABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47768 =A0 =A0 =A0 ESTABLISHED:EST=
ABLISHED
> all tcp 81.19.90.176:22 <- 81.19.90.156:47769 =A0 =A0 =A0 ESTABLISHED:EST=
ABLISHED
> $ netstat -np tcp
> Active Internet connections
> Proto Recv-Q Send-Q =A0Local Address =A0 =A0 =A0 =A0 =A0Foreign Address =
=A0 =A0 =A0 (state)
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.48149 =A0 =A0 SYN_RCVD
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.47769
> ESTABLISHED
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.47768
> ESTABLISHED
> tcp4 =A0 =A0 =A0 0 =A0 =A0 =A00 81.19.90.176.22 =A0 =A0 =A0 =A081.19.90.1=
56.47767
> ESTABLISHED
>
> New state not created, but packets matched first rule is passed, while
> should be dropped.
>
> Because of this new half-open connection is created (in SYN_RCVD state).
>
> This makes max-src-conn not very useful under FreeBSD - bad guys can eat =
as
> many sockets as they want on attacked host, even when number of connectio=
ns
> is limited by pf.
>
> $ uname -psv
> FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr =A08 05:31:05 MSD 2009
> citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC =A0amd64
>
> I have tested same rules on OpenBSD 4.4 - they works as expected - when
> limit reached, packets matched by first rule dropped, and new state not
> created.
>
> --
> =A0Anton Yuzhaninov
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0904131442q4a6ff305x2cd78e584abf4477>