From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 14:47:06 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 631BF16A4CE for ; Sun, 1 May 2005 14:47:06 +0000 (GMT) Received: from kira.epconline.net (kira.epconline.net [68.90.68.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC18943D49 for ; Sun, 1 May 2005 14:47:05 +0000 (GMT) (envelope-from carock@epconline.com) Received: from kira.epconline.net (localhost [127.0.0.1]) by kira.epconline.net (8.13.4/8.12.10) with ESMTP id j41El2Vg075153 for ; Sun, 1 May 2005 09:47:02 -0500 (CDT) (envelope-from carock@epconline.com) Received: from localhost (carock@localhost)j41El2oD075149 for ; Sun, 1 May 2005 09:47:02 -0500 (CDT) (envelope-from carock@epconline.com) X-Authentication-Warning: kira.epconline.net: carock owned process doing -bs Date: Sun, 1 May 2005 09:47:02 -0500 (CDT) From: Chuck Rock X-X-Sender: carock@kira.epconline.net To: freebsd-ipfw@freebsd.org Message-ID: <20050501093740.C38031@kira.epconline.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-EPC-Online-Kira-MailScanner-Information: Please contact the ISP for more information X-EPC-Online-Kira-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-MailScanner-From: carock@epconline.com Subject: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 14:47:06 -0000 I'm running FreeBSD release 5.2.1 I would like to add 61,000+ rules to ipfw. When I get to about 10,000 rules, the box's load gets real high, and stays there until I delete the rules. Has anyone actually used the 60,000+ rule numbers available. I've tried this on two different servers with similar results. One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. The other server is dual P3-1Gig with avg. load of 1 with 7 rules. With about 9,000 rules, the load goes to 8. With 20,000 rules, the box overloaded and locked up, no kernel panic, just no keyboard,mouse,ip traffic, console screen froze, etc. Both boxes showed no excessive memory usage. Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and I've got an extensive sendmail access file. I wanted to keep the servers from handling so much spam by blocking the IP's of relays that failed the access list relay check. Over about one week, I have 60,000+ unique IP addresses from my logs. On one server when I was able to get about 21,000 rules in, the rate of spam dropped from 90% to about 50%, so I could really tell it was working. I just need to figure out how to drop those packets. I was also thinking of building a bridge firewall so the server wasn't doing anything but filtering packets, but after seeing that ipfw couldn't even handle half of the 65,000 rules available, I'm having second thoughts. Anyone have any ideas? Thanks, Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 15:28:01 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D88616A4CE for ; Sun, 1 May 2005 15:28:01 +0000 (GMT) Received: from mx0.thekeelecentre.com (mx0.thekeelecentre.com [217.206.238.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F22943D3F for ; Sun, 1 May 2005 15:28:01 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from av.mx0.thekeelecentre.com (av.mx0.thekeelecentre.com [217.206.238.166]) by mx0.thekeelecentre.com (Postfix) with ESMTP id C6C41418E; Sun, 1 May 2005 16:27:59 +0100 (BST) Received: from mx0.thekeelecentre.com ([217.206.238.167]) [217.206.238.166]) (amavisd-new, port 10024) with ESMTP id 28259-08; Sun, 1 May 2005 16:27:59 +0100 (BST) Received: from RLaptop (gateway.home.tector.org.uk [82.69.226.134]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx0.thekeelecentre.com (Postfix) with ESMTP id 5C25E418D; Sun, 1 May 2005 16:27:58 +0100 (BST) From: "Richard Tector" To: "'Chuck Rock'" , Date: Sun, 1 May 2005 16:27:56 +0100 Message-ID: <000001c54e62$5ab80ca0$0c01000a@RLaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 In-Reply-To: <20050501093740.C38031@kira.epconline.net> Importance: Normal X-Virus-Scanned: by amavisd-new at mx0.thekeelecentre.com Subject: RE: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 15:28:01 -0000 >Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and >I've got an extensive sendmail access file. I wanted to keep the servers >from handling so much spam by blocking the IP's of relays that failed the >access list relay check. >Over about one week, I have 60,000+ unique IP addresses from my logs. You might want to consider using pf which has extensive table support. I'm not sure what the limits are on the table size, but you simply add another. This means a minimal ruleset and table lookups are orders of magnitude faster than rule processing. Ipfw now has table support. In 5.3+ at least. I don't know how quick these are in comparison to pf however. The only problem with using pf is you'd ideally need to upgrade to 5.3 or above. Perhaps rig up another box to try it on? Regards, Richard Tector From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 15:54:27 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFFE716A4CE for ; Sun, 1 May 2005 15:54:27 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7C0843D31 for ; Sun, 1 May 2005 15:54:24 +0000 (GMT) (envelope-from h.blackman@chester.ac.uk) Received: from [192.168.1.4] (81-6-220-39.dyn.gotadsl.co.uk [81.6.220.39]) by smtp.nildram.co.uk (Postfix) with ESMTP id B467A273C69 for ; Sun, 1 May 2005 16:54:20 +0100 (BST) Mime-Version: 1.0 (Apple Message framework v728) In-Reply-To: <20050501093740.C38031@kira.epconline.net> References: <20050501093740.C38031@kira.epconline.net> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Henry Blackman Date: Sun, 1 May 2005 16:54:20 +0100 To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.728) Subject: Re: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 15:54:28 -0000 There are better ways of achieving what you're trying to do. Using black lists (spamcop.net etc) is more efficient, but of course is resource intensive for busy servers - it is however dramatically better than doing what you're doing, which probably isn't sustainable in the longer term. I'd take a look at SpamAssassin, or you can simply use blacklists bl.spamcop.net and others, in sendmail. SpamAssassin can also do other things, than simply block IP addresses... Henry On 1 May 2005, at 15:47, Chuck Rock wrote: > I'm running FreeBSD release 5.2.1 > > I would like to add 61,000+ rules to ipfw. When I get to about 10,000 > rules, the box's load gets real high, and stays there until I > delete the > rules. > > Has anyone actually used the 60,000+ rule numbers available. I've > tried > this on two different servers with similar results. > > One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 > rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. > > The other server is dual P3-1Gig with avg. load of 1 with 7 rules. > With > about 9,000 rules, the load goes to 8. With 20,000 rules, the box > overloaded and locked up, no kernel panic, just no keyboard,mouse,ip > traffic, console screen froze, etc. > > Both boxes showed no excessive memory usage. > > Why 60,000 IP's you ask... These boxes ar ehigh traffic mail > servers, and > I've got an extensive sendmail access file. I wanted to keep the > servers > from handling so much spam by blocking the IP's of relays that > failed the > access list relay check. > > Over about one week, I have 60,000+ unique IP addresses from my logs. > > On one server when I was able to get about 21,000 rules in, the > rate of > spam dropped from 90% to about 50%, so I could really tell it was > working. > > I just need to figure out how to drop those packets. > > I was also thinking of building a bridge firewall so the server wasn't > doing anything but filtering packets, but after seeing that ipfw > couldn't > even handle half of the 65,000 rules available, I'm having second > thoughts. > > Anyone have any ideas? > > Thanks, > Chuck > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 16:08:42 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14EFF16A4CE for ; Sun, 1 May 2005 16:08:42 +0000 (GMT) Received: from kira.epconline.net (kira.epconline.net [68.90.68.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A906B43D31 for ; Sun, 1 May 2005 16:08:41 +0000 (GMT) (envelope-from carock@epconline.com) Received: from kira.epconline.net (localhost [127.0.0.1]) by kira.epconline.net (8.13.4/8.12.10) with ESMTP id j41G8br0023407; Sun, 1 May 2005 11:08:37 -0500 (CDT) (envelope-from carock@epconline.com) Received: from localhost (carock@localhost)j41G8bx6023404; Sun, 1 May 2005 11:08:37 -0500 (CDT) (envelope-from carock@epconline.com) X-Authentication-Warning: kira.epconline.net: carock owned process doing -bs Date: Sun, 1 May 2005 11:08:37 -0500 (CDT) From: Chuck Rock X-X-Sender: carock@kira.epconline.net To: Henry Blackman In-Reply-To: Message-ID: <20050501110206.A18734@kira.epconline.net> References: <20050501093740.C38031@kira.epconline.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-EPC-Online-Kira-MailScanner-Information: Please contact the ISP for more information X-EPC-Online-Kira-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-MailScanner-From: carock@epconline.com cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 16:08:42 -0000 Actually we are already doing that, MailScanner and spamassasin. being an ISP though, I can't tighten those down too tight. I have 2000 customers needs to address with my mail system. The idea is to allieviate the load on those applications because they never receive the message to begin with. I have a cluster of 4 p3 server running MailScanner and ClamAV as a front end. Round robin DNS keeps them pretty well averaged between them. They still relay approximately 60k messages each per 24 hours. The dual Xeon box is the final destination for much mail, but it's also backup MX for at least a 1000 domains, and gets hit with a lot of spam too. It also has the responsibility of running SpamAssassin for individual user mailboxes, and hosts about 1500 mailboxes. The load isn't bad on any of the boxes, I just wanted to make them last longer/handle less spam, etc. by packet filtering known bad relays before they reach the applications like Sendmail, ClamAV, MailScanner. Each of them take their toll on the resources of the machine, and there isn't much upgrading to do on a Xeon 2.8G. Chuck On Sun, 1 May 2005, Henry Blackman wrote: > There are better ways of achieving what you're trying to do. Using > black lists (spamcop.net etc) is more efficient, but of course is > resource intensive for busy servers - it is however dramatically > better than doing what you're doing, which probably isn't sustainable > in the longer term. > > I'd take a look at SpamAssassin, or you can simply use blacklists > bl.spamcop.net and others, in sendmail. SpamAssassin can also do > other things, than simply block IP addresses... > > Henry > > On 1 May 2005, at 15:47, Chuck Rock wrote: > > > I'm running FreeBSD release 5.2.1 > > > > I would like to add 61,000+ rules to ipfw. When I get to about 10,000 > > rules, the box's load gets real high, and stays there until I > > delete the > > rules. > > > > Has anyone actually used the 60,000+ rule numbers available. I've > > tried > > this on two different servers with similar results. > > > > One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 > > rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. > > > > The other server is dual P3-1Gig with avg. load of 1 with 7 rules. > > With > > about 9,000 rules, the load goes to 8. With 20,000 rules, the box > > overloaded and locked up, no kernel panic, just no keyboard,mouse,ip > > traffic, console screen froze, etc. > > > > Both boxes showed no excessive memory usage. > > > > Why 60,000 IP's you ask... These boxes ar ehigh traffic mail > > servers, and > > I've got an extensive sendmail access file. I wanted to keep the > > servers > > from handling so much spam by blocking the IP's of relays that > > failed the > > access list relay check. > > > > Over about one week, I have 60,000+ unique IP addresses from my logs. > > > > On one server when I was able to get about 21,000 rules in, the > > rate of > > spam dropped from 90% to about 50%, so I could really tell it was > > working. > > > > I just need to figure out how to drop those packets. > > > > I was also thinking of building a bridge firewall so the server wasn't > > doing anything but filtering packets, but after seeing that ipfw > > couldn't > > even handle half of the 65,000 rules available, I'm having second > > thoughts. > > > > Anyone have any ideas? > > > > Thanks, > > Chuck > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw- > > unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 16:10:36 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CACDA16A4CE for ; Sun, 1 May 2005 16:10:36 +0000 (GMT) Received: from kira.epconline.net (kira.epconline.net [68.90.68.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C40E43D39 for ; Sun, 1 May 2005 16:10:36 +0000 (GMT) (envelope-from carock@epconline.com) Received: from kira.epconline.net (localhost [127.0.0.1]) by kira.epconline.net (8.13.4/8.12.10) with ESMTP id j41GAXhS024252; Sun, 1 May 2005 11:10:33 -0500 (CDT) (envelope-from carock@epconline.com) Received: from localhost (carock@localhost)j41GAXqO024249; Sun, 1 May 2005 11:10:33 -0500 (CDT) (envelope-from carock@epconline.com) X-Authentication-Warning: kira.epconline.net: carock owned process doing -bs Date: Sun, 1 May 2005 11:10:33 -0500 (CDT) From: Chuck Rock X-X-Sender: carock@kira.epconline.net To: Richard Tector In-Reply-To: <000001c54e62$5ab80ca0$0c01000a@RLaptop> Message-ID: <20050501110937.A18734@kira.epconline.net> References: <000001c54e62$5ab80ca0$0c01000a@RLaptop> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-EPC-Online-Kira-MailScanner-Information: Please contact the ISP for more information X-EPC-Online-Kira-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-MailScanner-From: carock@epconline.com cc: freebsd-ipfw@freebsd.org Subject: RE: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 16:10:36 -0000 I'm still thinking the bridge firewall is the best route since I can effect all of my inbound servers at one point instead of loading up the rules on each individual server. I will look into the pf solution. Thanks, Chuck On Sun, 1 May 2005, Richard Tector wrote: > >Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and > >I've got an extensive sendmail access file. I wanted to keep the servers > >from handling so much spam by blocking the IP's of relays that failed the > >access list relay check. > > >Over about one week, I have 60,000+ unique IP addresses from my logs. > > > You might want to consider using pf which has extensive table support. I'm > not sure what the limits are on the table size, but you simply add another. > This means a minimal ruleset and table lookups are orders of magnitude > faster than rule processing. > > Ipfw now has table support. In 5.3+ at least. I don't know how quick these > are in comparison to pf however. > > The only problem with using pf is you'd ideally need to upgrade to 5.3 or > above. Perhaps rig up another box to try it on? > > Regards, > > Richard Tector > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon May 2 11:02:24 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E6E016A4CE for ; Mon, 2 May 2005 11:02:24 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26A8043D45 for ; Mon, 2 May 2005 11:02:24 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j42B2O06030687 for ; Mon, 2 May 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j42B2NWn030682 for ipfw@freebsd.org; Mon, 2 May 2005 11:02:23 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 2 May 2005 11:02:23 GMT Message-Id: <200505021102.j42B2NWn030682@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2005 11:02:24 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 3 21:29:17 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5539A16A4CF for ; Tue, 3 May 2005 21:29:17 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02C3243D7B for ; Tue, 3 May 2005 21:29:17 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000499427.msg for ; Tue, 03 May 2005 14:27:09 -0700 From: "David Schwartz" To: "Freebsd-Ipfw@Freebsd. Org" Date: Tue, 3 May 2005 14:28:12 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Tue, 03 May 2005 14:27:09 -0700 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Tue, 03 May 2005 14:27:12 -0700 Subject: Option to sanely handle dynamic rule overflow X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2005 21:29:17 -0000 I have a bunch of FreeBSD machines that act as firewalls. We use dynamic rules for accounting but not filtering. One problem we have is that a denial of service attack is possible by creating millions of dynamic firewall rules. This causes ipfw to drop packets. I've created a patch to make a sysctl option to cause FreeBSD to offer another option in handling packets that try to create a dynamic rule when one cannot be created. With this option selected, the rule fails to match if it cannot create a dynamic rule, allowing the packet to be handled in any way desired simply by following the rule with another rule. Below is a diff. Comments are greatly appreciated. David Schwartz - --- orig/ip_fw2.c 2005-05-03 14:02:43.987438426 -0700 +++ new/ip_fw2.c 2005-05-03 14:20:09.105853002 -0700 @@ -211,8 +211,9 @@ SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, ve */ static ipfw_dyn_rule **ipfw_dyn_v = NULL; static u_int32_t dyn_buckets = 256; /* must be power of 2 */ static u_int32_t curr_dyn_buckets = 256; /* must be power of 2 */ +static u_int32_t drop_dyn_full = 1; /* drop packets if rule table full */ static struct mtx ipfw_dyn_mtx; /* mutex guarding dynamic rules */ #define IPFW_DYN_LOCK_INIT() \ mtx_init(&ipfw_dyn_mtx, "IPFW dynamic rules", NULL, MTX_DEF) @@ -271,8 +272,10 @@ SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dy SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW, &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW, &dyn_keepalive, 0, "Enable keepalives for dyn. rules"); +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, drop_dyn_full, CTLFLAG_RW, + &drop_dyn_full, 0, "Drop if too many dyn. rules"); #endif /* SYSCTL_NODE */ @@ -1128,8 +1131,9 @@ install_state(struct ip_fw *rule, ipfw_i last_log = time_second; printf("ipfw: install_state: Too many dynamic rules\n"); } IPFW_DYN_UNLOCK(); + if(drop_dyn_full) return 2; /* do not match */ return 1; /* cannot install, notify caller */ } switch (cmd->o.opcode) { @@ -2296,14 +2300,17 @@ check_body: * effectively NOPs. */ case O_LIMIT: case O_KEEP_STATE: - if (install_state(f, - (ipfw_insn_limit *)cmd, args)) { + retval = install_state(f, + (ipfw_insn_limit *)cmd, args); + if(retval == 1) { retval = IP_FW_PORT_DENY_FLAG; goto done; /* error/limit violation */ } - match = 1; + if(retval == 2) match = 0; + else match = 1; + retval = 0; break; case O_PROBE_STATE: case O_CHECK_STATE: From owner-freebsd-ipfw@FreeBSD.ORG Sat May 7 08:55:10 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F42A16A4D8 for ; Sat, 7 May 2005 08:55:10 +0000 (GMT) Received: from istanbul.enderunix.org (freefall.marmara.edu.tr [193.140.143.23]) by mx1.FreeBSD.org (Postfix) with SMTP id 78C1943DB7 for ; Sat, 7 May 2005 08:55:09 +0000 (GMT) (envelope-from ofsen@enderunix.org) Received: (qmail 1355 invoked by uid 89); 7 May 2005 08:55:08 -0000 X-Mail-Scanner: Scanned by qSheff 0.8-p3 against viruses and spams (http://www.enderunix.org/qsheff/) Message-ID: <20050507085508.1352.qmail@istanbul.enderunix.org> From: Omer Faruk Sen To: ipfw@freebsd.org Date: Sat, 07 May 2005 11:55:08 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-9" Content-Transfer-Encoding: 7bit Subject: ipfw sysctl knobs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 May 2005 08:55:10 -0000 Hi, We as EnderUNIX.ORG has opened a website hopefully solve the problem of understanding sysctl knobs better. I thought that since you are the one responsbile for ipfw subsystem you can enter related sysctl knobs to http://sysctl.enderunix.org best. Best Regards. ----------------------- Omer Faruk Sen http://www.EnderUNIX.ORG Software Development Team @ Turkey http://www.Faruk.NET For Public key: http://www.enderunix.org/ofsen/ofsen.asc ******************************************************** First Turkish FreeBSD book is out! Go check it. Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti. http://www.acikakademi.com/freebsd.php