From owner-freebsd-pf@FreeBSD.ORG Mon Aug 4 11:06:59 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFFC1106566B for ; Mon, 4 Aug 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E0CF18FC14 for ; Mon, 4 Aug 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m74B6xng082152 for ; Mon, 4 Aug 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m74B6xIf082148 for freebsd-pf@FreeBSD.org; Mon, 4 Aug 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Aug 2008 11:06:59 GMT Message-Id: <200808041106.m74B6xIf082148@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 11:07:00 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented 6 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/125467 pf [pf] pf keep state bug while handling sessions between 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 4 20:51:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8C5B1065685 for ; Mon, 4 Aug 2008 20:51:08 +0000 (UTC) (envelope-from ismail@ismailozatay.net) Received: from mail.santek-ltd.com.tr (mail.webankara.com [85.111.2.7]) by mx1.freebsd.org (Postfix) with ESMTP id 103308FC20 for ; Mon, 4 Aug 2008 20:51:07 +0000 (UTC) (envelope-from ismail@ismailozatay.net) Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=ismailozatay.net; b=N4KMH8/zKu15LYswhqNfaApSdl6kl1Timdrqo59aR+C5YgyPalUQwI/0aOcL2d0sxWBVNkjAdgIJal2A496mjddtGaEn/zTYQ0TNbsTf/AhGJNdTTFvDH7KPv84/NU96 ; Received: (qmail 18917 invoked from network); 4 Aug 2008 23:20:37 +0300 Received: from caribou.framedestek.com (HELO pc) (212.154.97.179) by hasanseyh.bel.tr with SMTP; 4 Aug 2008 23:20:37 +0300 Message-ID: <027A22408D9149A4B1A54CED20827F9F@pc> From: "Ismail OZATAY" To: Date: Mon, 4 Aug 2008 23:24:23 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-9"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 X-Mailman-Approved-At: Tue, 05 Aug 2008 02:00:31 +0000 Subject: About policy routing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 20:51:08 -0000 Hi there, Today i tried to make a policy routing with pf on freebsd 7 server for my second internet connection but couldn't do it. My default gw is dsl and want to use leased line for second connection. I do not know where is the problem ? Here is my pf.conf file ; > ll="sk0" > ll_gw="212.212.1.1" > ll_ip="212.212.1.2" > > dmz="sk1" > dmz_net="230.230.1.176/28" > dmz_ip="230.230.1.177" > > dsl="rl0" > dsl_gw="10.1.1.1" > dsl_ip="10.1.1.2" > > int="sk2" > int_net="10.10.10.0/24" > int_ip="10.10.10.1" > > set optimization aggressive > set skip on lo > > scrub in all > > nat on $dsl from $int_net to any -> $dsl_ip > > # Default block > ############### > block in log all > block out log all > > antispoof quick for { lo $int $ll $dsl $dmz } > pass out on $dsl inet proto tcp from $dsl to any keep state > pass out on $dsl inet proto udp from $dsl to any keep state > pass out on $ll inet proto tcp from $ll to any keep state > pass out on $ll inet proto udp from $ll to any keep state > > pass in on $int inet proto tcp from $int_net to any port { http, https } > flags S/SA keep state > pass in on $int inet proto udp from $int_net to any port domain keep state > > pass in log on $dmz route-to($ll $ll_gw) inet proto tcp from $dmz_net to > any port { http, https } flags S/SA keep state > pass in log on $dmz route-to($ll $ll_gw) inet proto udp from $dmz_net to > any port domain flags S/SA keep state Can you correct me ? Thanks ismail From owner-freebsd-pf@FreeBSD.ORG Tue Aug 5 14:14:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1F73106566B for ; Tue, 5 Aug 2008 14:14:35 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2098FC0C for ; Tue, 5 Aug 2008 14:14:35 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: by mu-out-0910.google.com with SMTP id i2so2189665mue.3 for ; Tue, 05 Aug 2008 07:14:33 -0700 (PDT) Received: by 10.103.40.5 with SMTP id s5mr607299muj.133.1217944099123; Tue, 05 Aug 2008 06:48:19 -0700 (PDT) Received: by 10.103.214.14 with HTTP; Tue, 5 Aug 2008 06:48:16 -0700 (PDT) Message-ID: <1a5f1a2d0808050648g4dcc4e02pe1904f1ffa8bb2cf@mail.gmail.com> Date: Tue, 5 Aug 2008 09:48:16 -0400 From: "Rodrique Heron" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Understanding Load Balancing with DNS+PF+CARP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2008 14:14:35 -0000 I'm a running a Apache reverse proxy on PF+CARP, one node as master the other backup. I want a active/active setup, but since I don't have a hardware load balancer I'm banking on DNS. I would like to understand what happens when a host connects to the cluster for the first time after the first DNS query. So a user request www.website.com, DNS round-robin points the user to node1, what happens when a the user makes another request ? Is there another DNS lookup ? Will the user the sent back to node1 ? Does it make a difference if the server is hosting static content or an application ? Thanks From owner-freebsd-pf@FreeBSD.ORG Wed Aug 6 09:28:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FD761065673 for ; Wed, 6 Aug 2008 09:28:12 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe2.ukr.net (ffe2.ukr.net [195.214.192.9]) by mx1.freebsd.org (Postfix) with ESMTP id 3C3018FC23 for ; Wed, 6 Aug 2008 09:28:12 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe2.ukr.net with local ID 1KQfJR-000IYC-Uh for freebsd-pf@freebsd.org; Wed, 06 Aug 2008 12:28:09 +0300 MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 Message-Id: Date: Wed, 06 Aug 2008 12:28:09 +0300 X-UkrNet-Flag: 1 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf and torrent clients X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2008 09:28:12 -0000 Hi, All. I have one question about pf. In my LAN some users use torrent clients. This torrent client create states with 86400s timeoutes. But when users shutdown own computers at the end of working day, entries remain before the expiration 86400s. Not 90s as at closing web or ftp sessions. I assume, that Torrent does not close connection. How to adjust pf, that it would delete "dead" entries  created by torrent.   Thanks! From owner-freebsd-pf@FreeBSD.ORG Wed Aug 6 15:55:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A66A1065672 for ; Wed, 6 Aug 2008 15:55:56 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id D82938FC36 for ; Wed, 6 Aug 2008 15:55:55 +0000 (UTC) (envelope-from dalibor.gudzic@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so281323yxb.13 for ; Wed, 06 Aug 2008 08:55:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=DHH8X/cwNccCeG/A4p+iuX0y/3ORqb+Od2ejCxqtKmk=; b=o7obfD3snE0+C9CEwgNfZRrRHY7X58W4ORhrUicG1SticRBQEOkM2VfXNO9rwHHtgK EuABqxTyT1Q7Kq3vR8xnD5v8ezlBTZ6BNs0hGT9K6iIIUHHhRSTnPgDXXgkRHwteSJnp /vBoCeBZOIE83XRIbx1iBaxOGZbqksPNuOpvQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=E0RLZHP4cBnRxjAp0KhSb1aHjUsdFVG33TOy780wscZeTEcf9JCLMgrHxm7IGLPgBZ LRMZuF/jqgXjAWz8kbEj9QsRHAVS3OXJhautGwM0RcvB7MeKs0YNc2/aXxWJ9qYT7/yP 3lCIMtonKHs4RgUTBu0/GQvbsBchQOmDGGpHA= Received: by 10.150.205.20 with SMTP id c20mr3533972ybg.196.1218036584982; Wed, 06 Aug 2008 08:29:44 -0700 (PDT) Received: by 10.150.123.14 with HTTP; Wed, 6 Aug 2008 08:29:44 -0700 (PDT) Message-ID: <866fa9520808060829g37445902hfe1cd96c67e40ee9@mail.gmail.com> Date: Wed, 6 Aug 2008 17:29:44 +0200 From: "Dalibor Gudzic" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pf and torrent clients X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2008 15:55:56 -0000 2008/8/6 Vitaliy Vladimirovich > Hi, All. > > I have one question about pf. > In my LAN some users use torrent clients. This torrent client > create states with 86400s timeoutes. But when users shutdown own computers > at the end of working day, > entries remain before the expiration 86400s. Not 90s as at closing web or > ftp sessions. > I assume, that Torrent does not close connection. How to adjust pf, that it > would delete "dead" entries > created by torrent. > > Thanks! You might wanna check the "set timeout" section in pf.conf(5) man page. You can check default timeout options with: pfctl -st Cheers P.S. Sorry, forgot to cc the list. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 6 21:40:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57B3D106564A for ; Wed, 6 Aug 2008 21:40:31 +0000 (UTC) (envelope-from info@tecodryer.com) Received: from tember.borusantelekom.com (tember.borusantelekom.com [213.194.65.162]) by mx1.freebsd.org (Postfix) with ESMTP id 875508FC0A for ; Wed, 6 Aug 2008 21:40:30 +0000 (UTC) (envelope-from info@tecodryer.com) Received: (qmail 4227 invoked by uid 89); 6 Aug 2008 21:12:25 -0000 Received: from unknown (HELO erkan-e90bf8060) (78.161.127.33) by 0 with SMTP; 6 Aug 2008 21:12:25 -0000 From: "TECO DRYER" To: freebsd-pf@freebsd.org Message-Id: <20080806214030.875508FC0A@mx1.freebsd.org> Date: Wed, 6 Aug 2008 21:40:30 +0000 (UTC) Subject: Teco Industry is in the business of corn, wheat, paddy, and X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2008 21:40:31 -0000 vegetable dr Sender: "TECO DRYER" Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Date: Thu, 7 Aug 2008 00:12:24 +0300 Message-ID: <20080806211224054.1DE32C1C329A14B1@erkan-e90bf8060> X-Priority: 3 (Normal) Importance: Normal Teco Industry is in the business of corn, wheat, paddy, and vegetable drying machines and the production and marketing of silo & steel construction. Related to the machines that our company produce; Teco Industry has the representatives in Bulgaria, Albania, Ukraine, Tatarstan, Kazakhstan, Russia, Angola and Indonesia. Our partners in these countries are accepted as the leaders in the steel industry. The quality of produced machines is approved by international standards. Teco is guaranteed by CE and ISO 9001-2000 certificates. Teco also contributes to the national economy by creating jobs in designing, project, production, import and export. Teco materializes R&D activities with its professional staff. Quality results are presented to the customers during the production, import and export. Our company takes the leadership of producing and marketing nationally and internationally. For Grain, Oily Seeds, and Pulses: Silos Corn and Soybean Drying Machines Handling Systems like Bucket Elevator, Chain Conveyor and Helix Prop Towers and Catwalks for Handling Systems Unloading Truck Lifts Industrial Foundations, Steel Construction With the expert staff; we take an important target like ‘’Customer Satisfaction and Service Quality’’ and perform service and counseling duties successfully. -------------------------------------------------------------------------------- Contact Us , Teco Dryer Company is ready for a long partnership with you. Sales Engineer Erkan AYMAN eayman@tecodryer.com From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 08:41:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C99F01065685 for ; Thu, 7 Aug 2008 08:41:45 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by mx1.freebsd.org (Postfix) with ESMTP id 9264A8FC16 for ; Thu, 7 Aug 2008 08:41:45 +0000 (UTC) (envelope-from ask@develooper.com) Received: (qmail 441 invoked from network); 7 Aug 2008 08:15:02 -0000 Received: from gw.develooper.com (HELO embla.bn.dev) (ask@mail.dev@64.81.84.140) by smtp.develooper.com with (AES128-SHA encrypted) SMTP; 7 Aug 2008 08:15:02 -0000 Message-Id: <3E55632D-BD42-4299-BF63-976152B514DD@develooper.com> From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= To: Rodrique Heron In-Reply-To: <1a5f1a2d0808050648g4dcc4e02pe1904f1ffa8bb2cf@mail.gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v928.1) Date: Thu, 7 Aug 2008 01:15:01 -0700 References: <1a5f1a2d0808050648g4dcc4e02pe1904f1ffa8bb2cf@mail.gmail.com> X-Mailer: Apple Mail (2.928.1) Cc: freebsd-pf@freebsd.org Subject: Re: Understanding Load Balancing with DNS+PF+CARP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 08:41:45 -0000 On Aug 5, 2008, at 6:48, Rodrique Heron wrote: > I'm a running a Apache reverse proxy on PF+CARP, one node as master > the > other backup. I want a active/active setup, but since I don't have a > hardware load balancer I'm banking on DNS. I would like to > understand what > happens when a host connects to the cluster for the first time after > the > first DNS query. > > So a user request www.website.com, DNS round-robin points the user > to node1, > what happens when a the user makes another request ? "It depends". The client is in control of that. Clients are different. The setup I usually recommend is to have CARP (or similar) move one IP around and then ahve nginx or perlbal running to load balance to the actual servers. - ask -- http://develooper.com/ - http://askask.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 10:45:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7521C1065671 for ; Thu, 7 Aug 2008 10:45:07 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: from nuumen.pair.com (nuumen.pair.com [209.68.1.119]) by mx1.freebsd.org (Postfix) with SMTP id 27EA58FC0C for ; Thu, 7 Aug 2008 10:45:07 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: (qmail 85086 invoked by uid 55300); 7 Aug 2008 10:18:25 -0000 Date: Thu, 7 Aug 2008 06:18:25 -0400 From: Tom Huppi To: freebsd-pf@freebsd.org Message-ID: <20080807101825.GC10818@huppi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Subject: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 10:45:07 -0000 I have been using 'pf' for about 8 months now, and it has been rock solid and a real pleasure to use. I built it into: FreeBSD 6.3-PRERELEASE (PEO2) #2: Mon Dec 10 19:45:05 PST 2007. I've not wished to re-start PF for 7 months since it is doing live traffic and I didn't do a pfsync implementation (won't make that mistake again and am working on such a solution now.) I am makeing high use of the load balancer and it is extreamly useful to us. My gateway host acts as a simple router with three physical interfaces, but I only filter on the interface connected to my provider (set skip on { lo0 em0 bce1 }). Anyway, I am getting what I believe to be syn floods periodically. They dwarf my production traffic and sometimes get close to producing as much bandwith as we are paying for. A representative sample looks like so when viewed with tcpdump on my outward interface ('em1'): 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 21:36:53.870325 IP 125.21.176.19.x11 > 74.123.192.190.domain: S 1669070848:1669070848(0) win 16384 21:36:53.870369 IP 125.21.176.19.x11 > 74.123.192.185.domain: S 601948160:601948160(0) win 16384 21:36:53.870371 IP 125.21.176.19.x11 > 74.123.192.166.domain: S 1129906176:1129906176(0) win 16384 21:36:53.870373 IP 125.21.176.19.x11 > 74.123.192.179.domain: S 1231945728:1231945728(0) win 16384 21:36:53.870375 IP 125.21.176.19.x11 > 74.123.192.171.domain: S 1524105216:1524105216(0) win 16384 21:36:53.870377 IP 125.21.176.19.x11 > 74.123.192.26.domain: S 1212678144:1212678144(0) win 16384 21:36:53.870381 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 21:36:53.870383 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 21:36:53.870385 IP 125.21.176.19.x11 > 74.123.192.190.domain: S 1669070848:1669070848(0) win 16384 21:36:53.870396 IP 125.21.176.19.x11 > 74.123.192.185.domain: S 601948160:601948160(0) win 16384 21:36:53.870403 IP 125.21.176.19.x11 > 74.123.192.166.domain: S 1129906176:1129906176(0) win 16384 21:36:53.870409 IP 125.21.176.19.x11 > 74.123.192.179.domain: S 1231945728:1231945728(0) win 16384 21:36:53.870416 IP 125.21.176.19.x11 > 74.123.192.171.domain: S 1524105216:1524105216(0) win 16384 21:36:53.870422 IP 125.21.176.19.x11 > 74.123.192.26.domain: S 1212678144:1212678144(0) win 16384 I run 'pfstat' and here is a representative chart showing bandwidth. The chart of packets almost completely obscures real traffic since the syn packets are small: http://www.huppi.com/t/tmp/pfstat_2days.png My confusion is that my charts show outgoing traffic matching incomming traffic, but I see no outgoing with tcpdump. My uplink is Gig ethernet rate-limited by my network provider. I think perhaps the outgoing traffic is something other than TCP, but I wanted to ask on this list since I couldn't spot an answer in surfing around and network stuff is really not my area of expertise. My fear is that I actually am responding in some manner to these packets and either inviting more of these attacks, or worse, allowing my service to attack other people (say if the incomming IP was spoofed to an attack target.) --- A slightly less important question is whether attacks like this are 'par for the course' and expected, and how bad they can get. I do fear that at an inopertune time I will recieve an attack which consumes all of my bandwith and causes performance issues for my real traffic. (I'm developing more faith in PF's ability to handle things...so far I see no degradation whatsoever durring these attacks.) My typical rules look like so: pass proto tcp from any to port $tase_int_ports flags S/SA synproxy state and I really only notice attacks after I started using 'synproxy'. Whether I had them prior and just didn't notice, I am not sure. I've not used any of the 'max-*' stuff because I don't fully understand the problem and issues, and I am using a somewhat dated codebase. --- Thanks for any thoughts, hints, pointers, etc. - Tom -- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 16:02:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9998A1065672 for ; Thu, 7 Aug 2008 16:02:39 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from tomts18-srv.bellnexxia.net (tomts18.bellnexxia.net [209.226.175.72]) by mx1.freebsd.org (Postfix) with ESMTP id 491A28FC28 for ; Thu, 7 Aug 2008 16:02:39 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from toip40-bus.srvr.bell.ca ([67.69.240.41]) by tomts45-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20080807151100.HMEH13316.tomts45-srv.bellnexxia.net@toip40-bus.srvr.bell.ca>; Thu, 7 Aug 2008 11:11:00 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAEynmkhKD7BS/2dsb2JhbACtA0M Received: from mtrlpq02-1242542162.sdsl.bell.ca (HELO [69.69.69.183]) ([74.15.176.82]) by toip40-bus.srvr.bell.ca with ESMTP; 07 Aug 2008 11:10:59 -0400 Message-ID: <489B1049.9000002@optiksecurite.com> Date: Thu, 07 Aug 2008 11:10:01 -0400 From: FreeBSD User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Tom Huppi References: <20080807101825.GC10818@huppi.com> In-Reply-To: <20080807101825.GC10818@huppi.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 16:02:39 -0000 Tom Huppi a écrit : > I have been using 'pf' for about 8 months now, and it has been > rock solid and a real pleasure to use. I built it into: FreeBSD > 6.3-PRERELEASE (PEO2) #2: Mon Dec 10 19:45:05 PST 2007. I've > not wished to re-start PF for 7 months since it is doing live > traffic and I didn't do a pfsync implementation (won't make that > mistake again and am working on such a solution now.) > > I am makeing high use of the load balancer and it is extreamly > useful to us. > > My gateway host acts as a simple router with three physical > interfaces, but I only filter on the interface connected to my > provider (set skip on { lo0 em0 bce1 }). > > Anyway, I am getting what I believe to be syn floods > periodically. They dwarf my production traffic and sometimes > get close to producing as much bandwith as we are paying for. A > representative sample looks like so when viewed with tcpdump on > my outward interface ('em1'): > > 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 > 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 > 21:36:53.870325 IP 125.21.176.19.x11 > 74.123.192.190.domain: S 1669070848:1669070848(0) win 16384 > 21:36:53.870369 IP 125.21.176.19.x11 > 74.123.192.185.domain: S 601948160:601948160(0) win 16384 > 21:36:53.870371 IP 125.21.176.19.x11 > 74.123.192.166.domain: S 1129906176:1129906176(0) win 16384 > 21:36:53.870373 IP 125.21.176.19.x11 > 74.123.192.179.domain: S 1231945728:1231945728(0) win 16384 > 21:36:53.870375 IP 125.21.176.19.x11 > 74.123.192.171.domain: S 1524105216:1524105216(0) win 16384 > 21:36:53.870377 IP 125.21.176.19.x11 > 74.123.192.26.domain: S 1212678144:1212678144(0) win 16384 > 21:36:53.870381 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 > 21:36:53.870383 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 > 21:36:53.870385 IP 125.21.176.19.x11 > 74.123.192.190.domain: S 1669070848:1669070848(0) win 16384 > 21:36:53.870396 IP 125.21.176.19.x11 > 74.123.192.185.domain: S 601948160:601948160(0) win 16384 > 21:36:53.870403 IP 125.21.176.19.x11 > 74.123.192.166.domain: S 1129906176:1129906176(0) win 16384 > 21:36:53.870409 IP 125.21.176.19.x11 > 74.123.192.179.domain: S 1231945728:1231945728(0) win 16384 > 21:36:53.870416 IP 125.21.176.19.x11 > 74.123.192.171.domain: S 1524105216:1524105216(0) win 16384 > 21:36:53.870422 IP 125.21.176.19.x11 > 74.123.192.26.domain: S 1212678144:1212678144(0) win 16384 > > > I run 'pfstat' and here is a representative chart showing > bandwidth. The chart of packets almost completely obscures real > traffic since the syn packets are small: > > http://www.huppi.com/t/tmp/pfstat_2days.png > > > My confusion is that my charts show outgoing traffic matching > incomming traffic, but I see no outgoing with tcpdump. My > uplink is Gig ethernet rate-limited by my network provider. I > think perhaps the outgoing traffic is something other than TCP, > but I wanted to ask on this list since I couldn't spot an answer > in surfing around and network stuff is really not my area of > expertise. > > My fear is that I actually am responding in some manner to these > packets and either inviting more of these attacks, or worse, > allowing my service to attack other people (say if the incomming > IP was spoofed to an attack target.) > > --- > > A slightly less important question is whether attacks like this > are 'par for the course' and expected, and how bad they can > get. I do fear that at an inopertune time I will recieve an > attack which consumes all of my bandwith and causes performance > issues for my real traffic. (I'm developing more faith in > PF's ability to handle things...so far I see no degradation > whatsoever durring these attacks.) > > > My typical rules look like so: > > pass proto tcp from any to port $tase_int_ports flags S/SA synproxy state > > and I really only notice attacks after I started using > 'synproxy'. Whether I had them prior and just didn't notice, I > am not sure. I've not used any of the 'max-*' stuff because I > don't fully understand the problem and issues, and I am using a > somewhat dated codebase. > > --- > > Thanks for any thoughts, hints, pointers, etc. > > - Tom > Hi, I think that you should look at the 'scrub' directive in pf.conf. I think that a 'scrub in all' should block that kind of malformed packets. Martin From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 16:13:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 606A41065679 for ; Thu, 7 Aug 2008 16:13:59 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id 17B948FC15 for ; Thu, 7 Aug 2008 16:13:58 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id EF4E82283B; Thu, 7 Aug 2008 18:06:33 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 49182-06; Thu, 7 Aug 2008 18:06:31 +0200 (CEST) Received: from [192.168.15.2] (simian.skoberne.local [192.168.15.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id E9DF122829; Thu, 7 Aug 2008 18:06:30 +0200 (CEST) Message-ID: <489B1D86.3070306@skoberne.net> Date: Thu, 07 Aug 2008 18:06:30 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: Mitar , Weiss Subject: pf and jails X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 16:13:59 -0000 Hello, I have a server with multiple jails of different types (service jails, user jails, ...). In my rc.conf I have (the relevant parts): # Host ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common defaultrouter="a.b.c.241" # Jails cloned_interfaces="lo1 lo2" ifconfig_lo1="10.1.1.1 netmask 255.255.255.0" ifconfig_lo2="10.1.2.1 netmask 255.255.255.0" jail_first_ip="a.b.c.244" jail_first_interface="bge0 netmask 255.255.255.240" jail_second_ip="10.1.1.13" jail_second_interface="lo1 netmask 255.255.255.0" jail_third_ip="10.1.2.10" jail_third_interface="lo2 netmask 255.255.255.0" Now I would like to do firewalling between these jails. So that users of the second and the third jail can't ssh to first jail, for example. I thought this could be done by simply doing: - block log all - pass on lo0 all - [define other pass rules like: pass out on lo1 from ... to ...) But then I realized that all the traffic which travels between jails themselves and between jails and the host, is only "visible" on lo0 interface. So I guess this done by design. So my only option would be blocking all on lo0 and then doing pass rules only on lo0? I guess this is harder, because I need to observe carefully what needs to be passed on lo0 in order not to break anything? How do you do it? Thanks, Nejc From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 17:11:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74A4D1065670 for ; Thu, 7 Aug 2008 17:11:52 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: from nuumen.pair.com (nuumen.pair.com [209.68.1.119]) by mx1.freebsd.org (Postfix) with SMTP id 3488B8FC1B for ; Thu, 7 Aug 2008 17:11:51 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: (qmail 99958 invoked by uid 55300); 7 Aug 2008 17:11:50 -0000 Date: Thu, 7 Aug 2008 13:11:50 -0400 From: Tom Huppi To: FreeBSD Message-ID: <20080807171150.GD10818@huppi.com> References: <20080807101825.GC10818@huppi.com> <489B1049.9000002@optiksecurite.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <489B1049.9000002@optiksecurite.com> User-Agent: Mutt/1.4.2.2i Cc: freebsd-pf@freebsd.org Subject: Re: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 17:11:52 -0000 On 11:10 Thu 07 Aug , FreeBSD wrote: > Tom Huppi a ?crit : > >I have been using 'pf' for about 8 months now, and it has been > >rock solid and a real pleasure to use. I built it into: FreeBSD > >6.3-PRERELEASE (PEO2) #2: Mon Dec 10 19:45:05 PST 2007. I've > >not wished to re-start PF for 7 months since it is doing live > >traffic and I didn't do a pfsync implementation (won't make that > >mistake again and am working on such a solution now.) > > > >I am makeing high use of the load balancer and it is extreamly > >useful to us. > > > >My gateway host acts as a simple router with three physical > >interfaces, but I only filter on the interface connected to my > >provider (set skip on { lo0 em0 bce1 }). > > > >Anyway, I am getting what I believe to be syn floods > >periodically. They dwarf my production traffic and sometimes > >get close to producing as much bandwith as we are paying for. A > >representative sample looks like so when viewed with tcpdump on > >my outward interface ('em1'): > > > >21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S > >27394048:27394048(0) win 16384 > >21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S > >1793916928:1793916928(0) win 16384 > >21:36:53.870325 IP 125.21.176.19.x11 > 74.123.192.190.domain: S > >1669070848:1669070848(0) win 16384 > >21:36:53.870369 IP 125.21.176.19.x11 > 74.123.192.185.domain: S > >601948160:601948160(0) win 16384 > >21:36:53.870371 IP 125.21.176.19.x11 > 74.123.192.166.domain: S > >1129906176:1129906176(0) win 16384 > >21:36:53.870373 IP 125.21.176.19.x11 > 74.123.192.179.domain: S > >1231945728:1231945728(0) win 16384 > >21:36:53.870375 IP 125.21.176.19.x11 > 74.123.192.171.domain: S > >1524105216:1524105216(0) win 16384 > >21:36:53.870377 IP 125.21.176.19.x11 > 74.123.192.26.domain: S > >1212678144:1212678144(0) win 16384 > >21:36:53.870381 IP 125.21.176.19.x11 > 74.123.192.195.domain: S > >27394048:27394048(0) win 16384 > >21:36:53.870383 IP 125.21.176.19.x11 > 74.123.192.204.domain: S > >1793916928:1793916928(0) win 16384 > >21:36:53.870385 IP 125.21.176.19.x11 > 74.123.192.190.domain: S > >1669070848:1669070848(0) win 16384 > >21:36:53.870396 IP 125.21.176.19.x11 > 74.123.192.185.domain: S > >601948160:601948160(0) win 16384 > >21:36:53.870403 IP 125.21.176.19.x11 > 74.123.192.166.domain: S > >1129906176:1129906176(0) win 16384 > >21:36:53.870409 IP 125.21.176.19.x11 > 74.123.192.179.domain: S > >1231945728:1231945728(0) win 16384 > >21:36:53.870416 IP 125.21.176.19.x11 > 74.123.192.171.domain: S > >1524105216:1524105216(0) win 16384 > >21:36:53.870422 IP 125.21.176.19.x11 > 74.123.192.26.domain: S > >1212678144:1212678144(0) win 16384 > > > > > >I run 'pfstat' and here is a representative chart showing > >bandwidth. The chart of packets almost completely obscures real > >traffic since the syn packets are small: > > > >http://www.huppi.com/t/tmp/pfstat_2days.png > > > > > >My confusion is that my charts show outgoing traffic matching > >incomming traffic, but I see no outgoing with tcpdump. My > >uplink is Gig ethernet rate-limited by my network provider. I > >think perhaps the outgoing traffic is something other than TCP, > >but I wanted to ask on this list since I couldn't spot an answer > >in surfing around and network stuff is really not my area of > >expertise. > > > >My fear is that I actually am responding in some manner to these > >packets and either inviting more of these attacks, or worse, > >allowing my service to attack other people (say if the incomming > >IP was spoofed to an attack target.) > > > >--- > > > >A slightly less important question is whether attacks like this > >are 'par for the course' and expected, and how bad they can > >get. I do fear that at an inopertune time I will recieve an > >attack which consumes all of my bandwith and causes performance > >issues for my real traffic. (I'm developing more faith in > >PF's ability to handle things...so far I see no degradation > >whatsoever durring these attacks.) > > > > > >My typical rules look like so: > > > >pass proto tcp from any to port $tase_int_ports flags > >S/SA synproxy state > > > >and I really only notice attacks after I started using > >'synproxy'. Whether I had them prior and just didn't notice, I > >am not sure. I've not used any of the 'max-*' stuff because I > >don't fully understand the problem and issues, and I am using a > >somewhat dated codebase. > > > >--- > > > >Thanks for any thoughts, hints, pointers, etc. > > > > - Tom > > > Hi, > > I think that you should look at the 'scrub' directive in pf.conf. I > think that a 'scrub in all' should block that kind of malformed packets. I have used 'scrub' in one form or another from the start. My current one looks like so: scrub on $ext_if all reassemble tcp #scrub in on $ext_if #scrub in all Actally, I think that PF is doing a fine job of 'blocking' the packets, but I of course have limited control over the packets getting to my gateway in the first place. I was probably not clear on my question. To re-phrase: 1) Am I really sending out as much bandwidth as I am recieving when these trillions of packets arrive? 2) If so, why can I not see the traffic with tcpdump? Thanks for any insights, - Tom From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 17:32:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EBCB106564A for ; Thu, 7 Aug 2008 17:32:33 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 1AFF08FC21 for ; Thu, 7 Aug 2008 17:32:33 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 4A2531FF00E3 for ; Thu, 7 Aug 2008 13:32:32 -0400 (EDT) thread-index: Acj4s5KVwY4Hp8lqTBihPKIu/mU48w== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Thu, 7 Aug 2008 13:32:31 -0400 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 686248E29B; Thu, 7 Aug 2008 12:32:26 -0500 (CDT) Date: Thu, 7 Aug 2008 12:32:26 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: Importance: normal Priority: normal Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 Message-ID: <20080807173225.GA17926@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20080807101825.GC10818@huppi.com> MIME-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20080807101825.GC10818@huppi.com> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 07 Aug 2008 17:32:32.0141 (UTC) FILETIME=[9289FBD0:01C8F8B3] Subject: Re: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 17:32:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Huppi wrote: > > Anyway, I am getting what I believe to be syn floods > periodically. They dwarf my production traffic and sometimes > get close to producing as much bandwith as we are paying for. A > representative sample looks like so when viewed with tcpdump on > my outward interface ('em1'): > > 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 > 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 Since you went to the trouble of obscuring the source IP, I presume that the source IP is your IP. So, these look like responses, i.e. outbound traffic, not inbound, since they are sourced from your IP. You can use tcpdump's -e flag to be sure who is sending and who is receiving. - -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFImzGpFSrKRjX5eCoRAmQWAJ42P3j3LgD9gE5aqIs+A9ytFAzUgACeLU1g 0F9BDmubpLI37Bz/OKW420Y= =Nm7c -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 18:00:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FE0A106564A for ; Thu, 7 Aug 2008 18:00:56 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: from nuumen.pair.com (nuumen.pair.com [209.68.1.119]) by mx1.freebsd.org (Postfix) with SMTP id D8A928FC13 for ; Thu, 7 Aug 2008 18:00:55 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: (qmail 40782 invoked by uid 55300); 7 Aug 2008 18:00:54 -0000 Date: Thu, 7 Aug 2008 14:00:54 -0400 From: Tom Huppi To: freebsd-pf@freebsd.org Message-ID: <20080807180054.GE10818@huppi.com> References: <20080807101825.GC10818@huppi.com> <20080807173225.GA17926@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080807173225.GA17926@verio.net> User-Agent: Mutt/1.4.2.2i Subject: Re: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 18:00:56 -0000 On 12:32 Thu 07 Aug , David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Huppi wrote: > > > > Anyway, I am getting what I believe to be syn floods > > periodically. They dwarf my production traffic and sometimes > > get close to producing as much bandwith as we are paying for. A > > representative sample looks like so when viewed with tcpdump on > > my outward interface ('em1'): > > > > 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 > > 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 > > Since you went to the trouble of obscuring the source IP, I presume that > the source IP is your IP. So, these look like responses, i.e. outbound > traffic, not inbound, since they are sourced from your IP. You can use > tcpdump's -e flag to be sure who is sending and who is receiving. I obscured my own IP range which is the 74.nnn.nnn. one and it is a /24. Interestingly most of the IP's on my side are ones where I have no host. The reason why is that I figured that if I myself were a semi-sophisticated cracker, I would look for targets of opertunity on the various mailing lists where one could identify both networks administered by newbie/part-time personel, and often a fair amount about the configuration of said :) The IP '125.21.176.19' is exactly as it appeared on my tcpdump. It shows as a telcom company in India in this case...usually it's some network company or another in China. My network looks like so: ------------- em0 <---> internal range Network Provider <----> em1 | pf firewall | (Internap) ------------- bce1 <---> dmz range I took the tcpdump output to indicate that Syn packets showing an Indian Origin were showing up addressed to (mainly non-existant) IP addresses within my /24 network. I'll look at 'tcpdump -e'. Thanks for the hint! - Tom > > - -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFImzGpFSrKRjX5eCoRAmQWAJ42P3j3LgD9gE5aqIs+A9ytFAzUgACeLU1g > 0F9BDmubpLI37Bz/OKW420Y= > =Nm7c > -----END PGP SIGNATURE----- > > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --