From owner-freebsd-pf@freebsd.org Mon Mar 27 08:15:23 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3350D1F83C for ; Mon, 27 Mar 2017 08:15:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D32F2161E for ; Mon, 27 Mar 2017 08:15:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2R8FMI5093414 for ; Mon, 27 Mar 2017 08:15:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Mon, 27 Mar 2017 08:15:22 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Mar 2017 08:15:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #2 from Robert Schulze --- There are no pf-related kernel messages. # pfctl -st | grep src.track src.track 0s So source tracking entries should expire, as soon there are no more referen= ced states. The "expires in" counters from pfctl -vsS are always "00:00:00" or = not shown. regards, Robert Schulze --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Mar 28 06:08:42 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 527CAD21022 for ; Tue, 28 Mar 2017 06:08:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 42A8EB17 for ; Tue, 28 Mar 2017 06:08:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2S68fJZ036050 for ; Tue, 28 Mar 2017 06:08:42 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Tue, 28 Mar 2017 06:08:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2017 06:08:42 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #3 from Max --- (In reply to Robert Schulze from comment #2) I'm unable to reproduce the described behaviour on 10.3 release with generic kernel and your rules. It works just fine. Maybe the problem is related to filter rule's limits... I'll try to produce more test traffic later to reach them. I have two source tracking records for each address: one for rdr rule and o= ne for filter rule. Can you confirm that? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Mar 28 07:33:34 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18129D22D80 for ; Tue, 28 Mar 2017 07:33:34 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [IPv6:2a00:7540:1::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.norma.perm.ru", Issuer "Vivat-Trade UNIX Root CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CDC6DFD for ; Tue, 28 Mar 2017 07:33:32 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from bsdrookie.norma.com. (net206-94.perm.ertelecom.ru [46.146.206.94] (may be forged)) by elf.hq.norma.perm.ru (8.15.2/8.15.2) with ESMTPS id v2S7XPnX087693 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 28 Mar 2017 12:33:26 +0500 (YEKT) (envelope-from emz@norma.perm.ru) To: freebsd-pf@freebsd.org From: "Eugene M. Zheganin" Subject: pf, ALTQ and 10G Message-ID: Date: Tue, 28 Mar 2017 12:33:25 +0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [1.59 / 25.00] HFILTER_HOSTNAME_UNKNOWN(2.50)[] RBL_SPAMHAUS_PBL(2.00)[94.206.146.46.zen.spamhaus.org : 127.0.0.10] BAYES_HAM(-2.91)[99.63%] MIME_GOOD(-0.10)[text/plain] R_SPF_SOFTFAIL(0.00)[~all] TO_DN_NONE(0.00)[] R_DKIM_NA(0.00)[] FROM_EQ_ENVFROM(0.00)[] RCPT_COUNT_1(0.00)[] DMARC_NA(0.00)[norma.perm.ru] RCVD_COUNT_1(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] FROM_HAS_DN(0.00)[] ONCE_RECEIVED(0.10)[] MID_RHS_MATCH_FROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[94.206.146.46.zen.spamhaus.org] X-Rspamd-Server: localhost X-Rspamd-Scan-Time: 0.52 X-Rspamd-Queue-ID: v2S7XPnX087693 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2017 07:33:34 -0000 Hi. I need to implement QoS on a 10G interface (ix(4)) with bandwidth of 4-5 Gbit/sec. In general I'm using pf on FreeBSD, since I like it more than ipfw. But I'm aware that it's kind of ancient and wasn't updated for a long time from the upstream (and the upstream still doesn't support SMP). So, my question is - is it worth to stick to pf/ALTQ on 10G interfaces ? Will pf carry such traffic ? Thanks. Eugene. From owner-freebsd-pf@freebsd.org Tue Mar 28 08:02:49 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87AA6D1B4A8 for ; Tue, 28 Mar 2017 08:02:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 77BB37E3 for ; Tue, 28 Mar 2017 08:02:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2S82mp1045551 for ; Tue, 28 Mar 2017 08:02:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Tue, 28 Mar 2017 08:02:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2017 08:02:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #4 from Robert Schulze --- (In reply to Max from comment #3) Those old-aged src track entries are only on rdr rule: # pfctl -vsS | grep -A1 $client $client -> $www_host ( states 4, connections 0, rate 0.0/0s ) age 02:39:54, 20643 pkts, 23362337 bytes, rdr rule 0 # pfctl -vss | grep -A1 $client (nothing shown) One question is: why is there states=3D4 in source track, but no states in = state table and how could that happen? regards, Robert Schulze --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Mar 28 09:38:59 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A83BD1D6B0 for ; Tue, 28 Mar 2017 09:38:59 +0000 (UTC) (envelope-from srs0=cvzz=3f=sigsegv.be=kristof@venus.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 55920E1B for ; Tue, 28 Mar 2017 09:38:59 +0000 (UTC) (envelope-from srs0=cvzz=3f=sigsegv.be=kristof@venus.codepro.be) Received: from [172.16.5.2] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 5A66D2A170; Tue, 28 Mar 2017 11:38:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1490693936; bh=ZvbTfGPY6VpTlDRi+4joY2ryFY18tI/BDFGSNPrc+bk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=uBxehug73s31p9GDRKDg3FYM+HNFjWxttYRhgUP8APH8pLuBPaTkUZ41ESGRiwTS+ rUmxILkGztk+iC54Tl0E06yTjbjs41NSd3FUgs9IRAyONINsV/o2PES7NABdb0NAE3 /3VFjMtcPXbaskB7PlOuza6Yb00IEqnwcaQGaJ0M= From: "Kristof Provost" To: "Eugene M. Zheganin" Cc: freebsd-pf@freebsd.org Subject: Re: pf, ALTQ and 10G Date: Tue, 28 Mar 2017 11:38:49 +0200 Message-ID: <99C93F4E-865B-492D-9B03-256D9D5E811A@sigsegv.be> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2017 09:38:59 -0000 On 28 Mar 2017, at 9:33, Eugene M. Zheganin wrote: > I need to implement QoS on a 10G interface (ix(4)) with bandwidth of > 4-5 Gbit/sec. In general I'm using pf on FreeBSD, since I like it more > than ipfw. But I'm aware that it's kind of ancient and wasn't updated > for a long time from the upstream (and the upstream still doesn't > support SMP). So, my question is - is it worth to stick to pf/ALTQ on > 10G interfaces ? Will pf carry such traffic ? > Be aware that ALTQ will not let you configure queues with that sort of bandwidth. All of the datatypes used are 32-bit integers and top out at 2 or 4 Gbps. Unfortunately dummynet has exactly the same problem, so switching to ipfw won’t help. Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Mar 28 19:36:11 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0013D22B16 for ; Tue, 28 Mar 2017 19:36:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CF69BB6B for ; Tue, 28 Mar 2017 19:36:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2SJaBR3036341 for ; Tue, 28 Mar 2017 19:36:11 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Tue, 28 Mar 2017 19:36:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2017 19:36:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #5 from Max --- Well, I can reproduce the problem. I have 3 hosts with 10.3 release (generic kernel). "Server", "client" and "firewall". Complete pf.conf of "firewall" host: set skip on {lo, em2} table persist { 192.168.0.10, 192.168.0.20, 192.168.0.30 } rdr proto tcp from any to 192.168.2.1 port http -> port http \ round-robin sticky-address block in all block out all pass quick proto tcp from any to port 80 \ keep state \ (source-track rule, max 120, max-src-states 96, \ tcp.closing 20, tcp.finwait 15, tcp.closed 10) It works as expected until we hit the "max states per rule" limit. For exam= ple (just counters): # pfctl -vsi Status: Enabled for 0 days 00:17:46 Debug: Urgent State Table Total Rate current entries 20 searches 345 0.3/s inserts 40 0.0/s removals 20 0.0/s Source Tracking Table current entries 20 searches 80 0.1/s inserts 40 0.0/s removals 20 0.0/s # pfctl -vsi Status: Enabled for 0 days 00:18:05 Debug: Urgent State Table Total Rate current entries 0 searches 345 0.3/s inserts 40 0.0/s removals 40 0.0/s Source Tracking Table current entries 20 searches 80 0.1/s inserts 40 0.0/s removals 20 0.0/s # pfctl -vsi Status: Enabled for 0 days 00:18:16 Debug: Urgent State Table Total Rate current entries 0 searches 345 0.3/s inserts 40 0.0/s removals 40 0.0/s Source Tracking Table current entries 0 searches 80 0.1/s inserts 40 0.0/s removals 40 0.0/s But when I reach the limit: # pfctl -vsi Status: Enabled for 0 days 00:04:46 Debug: Urgent State Table Total Rate current entries 1 searches 1627 5.7/s inserts 203 0.7/s removals 202 0.7/s Source Tracking Table current entries 10 searches 333 1.2/s inserts 40 0.1/s removals 30 0.1/s Limit Counters max states per rule 9 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s # pfctl -ss all tcp 192.168.0.10:80 (192.168.2.1:80) <- 192.168.2.14:15122=20=20=20=20= =20=20 CLOSED:SYN_SENT # pfctl -sS 192.168.2.17 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.15 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.14 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.13 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.11 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.12 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.16 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.18 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.10 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) # pfctl -vsi Status: Enabled for 0 days 00:08:19 Debug: Urgent State Table Total Rate current entries 0 searches 1627 3.3/s inserts 203 0.4/s removals 203 0.4/s Source Tracking Table current entries 8 searches 333 0.7/s inserts 40 0.1/s removals 32 0.1/s Limit Counters max states per rule 9 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s # pfctl -vsS 192.168.2.17 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.15 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.13 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.11 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.12 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.16 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.18 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.10 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Mar 29 08:14:47 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83BC8D2226C for ; Wed, 29 Mar 2017 08:14:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 73CC26B433 for ; Wed, 29 Mar 2017 08:14:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2T8Ej6r018020 for ; Wed, 29 Mar 2017 08:14:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Wed, 29 Mar 2017 08:14:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 08:14:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #6 from Robert Schulze --- (In reply to Max from comment #5) Thank you for your efforts. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Mar 29 19:37:43 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96E2FD24756 for ; Wed, 29 Mar 2017 19:37:43 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6267D9C0 for ; Wed, 29 Mar 2017 19:37:42 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TJcO8j032385 for ; Wed, 29 Mar 2017 12:38:30 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: "FreeBSD pf" From: "Chris H" Subject: how to get daily statistics from periodic daily? Date: Wed, 29 Mar 2017 12:38:30 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 19:37:43 -0000 Greetings, I've depended upon pf for many years, but somewhere between updating my servers from 9 to 11, and 12. I seem to have lost getting the daily statistics from pf. Does anyone know what changed, and what I need to do to get those reports back? Thanks! --Chris From owner-freebsd-pf@freebsd.org Wed Mar 29 20:05:14 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D19DBD24269 for ; Wed, 29 Mar 2017 20:05:14 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A837C1763 for ; Wed, 29 Mar 2017 20:05:14 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TK5s1W036932 for ; Wed, 29 Mar 2017 13:06:01 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: "FreeBSD pf" From: "Chris H" Subject: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 13:06:01 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:05:14 -0000 OK. My association with FreeBSD has made me a prime target for every male hormone distributor on the net. Fact is; I can guarantee ~89 SPAM attempts in under 5 minutes, after creating a pr on bugzilla. At first I was angry, and frustrated. But decided to make it a challenge/contest, and see my way to thwarting their attacks. Long story short; I think I'm on the right track; In just over a month, I've managed to trap just under 3 million (2,961,264) *bonafide* SPAM sources. I've been honing, and tuning my approach to insure that there are zero false positives, and at the same time, make it more, and more efficient. So now that I'm dropping packets from *so* many IP's I'm wondering if it's not time to better tune pf(4). I've never worked pf hard enough to do any more than create a table, and a few simple rules. But I think I need to do more. Here's the bulk of what I'm using now: ################################### set loginterface re0 set block-policy drop set fingerprints "/etc/pf.os" scrub in all set skip on lo0 antispoof quick for lo0 antispoof for re0 inet table persist file "/etc/SPAMMERS" block in log quick on re0 proto tcp from to port {smtp, submission, pop3, imap, imaps} ################################### Would set optimization be warranted? Any thoughts, or advice greatly appreciated! --Chris From owner-freebsd-pf@freebsd.org Wed Mar 29 20:20:00 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3143D246AD for ; Wed, 29 Mar 2017 20:20:00 +0000 (UTC) (envelope-from srs0=zbbg=3g=sigsegv.be=kristof@venus.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6DF9A643 for ; Wed, 29 Mar 2017 20:20:00 +0000 (UTC) (envelope-from srs0=zbbg=3g=sigsegv.be=kristof@venus.codepro.be) Received: from [192.168.228.1] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id D6BC92AEE4; Wed, 29 Mar 2017 22:19:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1490818797; bh=lreA/zpVMi76a4yblpHG/xxEQuzBxaBrKvnYCeKiXjU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=A8ahfkI27e/8ntR6ZirL0pfPEJ6wIsWckIrN27TXG/c31U498BfQqUvclluASCMmq 1oGVFzz+pNx8YBn58TacIl3U1YNvYw/B1gfIoQbjNSpsQ/EMPvA/QD9TcJyWGJDcpW tsAK2hHQeWJV1Y+3VtXSy7tLnd/+gu/KWCsy9fEU= From: "Kristof Provost" To: "Chris H" Cc: "FreeBSD pf" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 22:19:58 +0200 Message-ID: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:20:00 -0000 On 29 Mar 2017, at 22:06, Chris H wrote: > OK. My association with FreeBSD has made me a prime > target for every male hormone distributor on the net. > Fact is; I can guarantee ~89 SPAM attempts in under 5 > minutes, after creating a pr on bugzilla. At first I > was angry, and frustrated. But decided to make it a > challenge/contest, and see my way to thwarting their > attacks. Long story short; I think I'm on the right > track; In just over a month, I've managed to trap > just under 3 million (2,961,264) *bonafide* SPAM sources. > I've been honing, and tuning my approach to insure that > there are zero false positives, and at the same time, > make it more, and more efficient. > So now that I'm dropping packets from *so* many IP's > I'm wondering if it's not time to better tune pf(4). > I've never worked pf hard enough to do any more than > create a table, and a few simple rules. But I think I > need to do more. > Here's the bulk of what I'm using now: > > ################################### > set loginterface re0 > set block-policy drop > set fingerprints "/etc/pf.os" > scrub in all > set skip on lo0 > antispoof quick for lo0 > antispoof for re0 inet > > table persist file "/etc/SPAMMERS" > block in log quick on re0 proto tcp from to port {smtp, > submission, > pop3, imap, imaps} > ################################### > > Would set optimization be warranted? > Any thoughts, or advice greatly appreciated! > If I’m reading the code right the table lookup already uses a radix table internally, so I would already expect this to perform as well as it’s going to. Arguably you could just drop all traffic from them on all interfaces, but I doubt that’ll make a huge difference. Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Mar 29 20:29:47 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74FFCD2492C for ; Wed, 29 Mar 2017 20:29:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 59F86A2C for ; Wed, 29 Mar 2017 20:29:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2TKTlIT085244 for ; Wed, 29 Mar 2017 20:29:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Wed, 29 Mar 2017 20:29:47 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:29:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #7 from Max --- A bit more info... Before reaching the limit: Status: Enabled for 0 days 04:08:59 Debug: Urgent State Table Total Rate current entries 120 searches 7976 0.5/s inserts 997 0.1/s removals 877 0.1/s Source Tracking Table current entries 0 searches 1623 0.1/s inserts 236 0.0/s removals 216 0.0/s Limit Counters max states per rule 2 0.0/s max-src-states 4 0.0/s ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf mtags: 40, 0, 0, 0, 0, 0, 0 pf states: 296, 10010, 120, 62, 997, 0, 0 pf state keys: 88, 0, 184, 221, 1506, 0, 0 pf source nodes: 136, 10005, 20, 125, 236, 0, 0 pf table entries: 160, 200000, 3, 72, 3, 0, 0 pf table counters: 64, 0, 0, 0, 0, 0, 0 pf frags: 120, 0, 0, 0, 0, 0, 0 pf frag entries: 40, 5000, 0, 0, 0, 0, 0 pf state scrubs: 40, 0, 0, 0, 0, 0, 0 192.168.2.10 -> 192.168.0.20 ( states 6, connections 0, rate 0.0/0s ) After (two seconds later): Status: Enabled for 0 days 04:09:01 Debug: Urgent State Table Total Rate current entries 120 searches 7977 0.5/s inserts 997 0.1/s removals 877 0.1/s Source Tracking Table current entries 0 searches 1624 0.1/s inserts 236 0.0/s removals 216 0.0/s Limit Counters max states per rule 3 0.0/s max-src-states 4 0.0/s ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf mtags: 40, 0, 0, 0, 0, 0, 0 pf states: 296, 10010, 120, 62, 997, 0, 0 pf state keys: 88, 0, 186, 219, 1508, 0, 0 pf source nodes: 136, 10005, 20, 125, 236, 0, 0 pf table entries: 160, 200000, 3, 72, 3, 0, 0 pf table counters: 64, 0, 0, 0, 0, 0, 0 pf frags: 120, 0, 0, 0, 0, 0, 0 pf frag entries: 40, 5000, 0, 0, 0, 0, 0 pf state scrubs: 40, 0, 0, 0, 0, 0, 0 192.168.2.10 -> 192.168.0.20 ( states 7, connections 0, rate 0.0/0s ) So, we have one serach in state table, one search in source tracking table = and increased states counter in source entry (other not included here). We increase state counter of source node in pf_find_src_node(). But the pro= blem is not so easy as it seems. By the way, what about "pf state keys"? We have no states, but I see 6 state keys: Status: Enabled for 0 days 04:09:15 Debug: Urgent State Table Total Rate current entries 0 searches 7977 0.5/s inserts 997 0.1/s removals 997 0.1/s Source Tracking Table current entries 1 searches 1624 0.1/s inserts 236 0.0/s removals 235 0.0/s Limit Counters max states per rule 3 0.0/s max-src-states 4 0.0/s ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf mtags: 40, 0, 0, 0, 0, 0, 0 pf states: 296, 10010, 0, 182, 997, 0, 0 pf state keys: 88, 0, 6, 399, 1508, 0, 0 pf source nodes: 136, 10005, 1, 144, 236, 0, 0 pf table entries: 160, 200000, 3, 72, 3, 0, 0 pf table counters: 64, 0, 0, 0, 0, 0, 0 pf frags: 120, 0, 0, 0, 0, 0, 0 pf frag entries: 40, 5000, 0, 0, 0, 0, 0 pf state scrubs: 40, 0, 0, 0, 0, 0, 0 192.168.2.10 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Mar 29 20:57:59 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61712D2419B for ; Wed, 29 Mar 2017 20:57:59 +0000 (UTC) (envelope-from martin.mato@orange.fr) Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "Bizanga Labs SMTP Client Certificate", Issuer "Bizanga Labs CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A67C3796 for ; Wed, 29 Mar 2017 20:57:57 +0000 (UTC) (envelope-from martin.mato@orange.fr) Received: from wwinf1g03 ([10.232.37.30]) by mwinf5d27 with ME id 1wxo1v00X0f1gBu03wxoq3; Wed, 29 Mar 2017 22:57:48 +0200 X-ME-Helo: wwinf1g03 X-ME-Auth: bWFydGluLm1hdG9Ab3JhbmdlLmZy X-ME-Date: Wed, 29 Mar 2017 22:57:48 +0200 X-ME-IP: 86.193.79.26 Date: Wed, 29 Mar 2017 22:57:48 +0200 (CEST) From: Martin MATO Reply-To: Martin MATO To: freebsd-pf@freebsd.org Message-ID: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> In-Reply-To: References: Subject: re: When should I worry about performance tuning? MIME-Version: 1.0 X-Originating-IP: [86.193.79.26] X-WUM-FROM: |~| X-WUM-TO: |~| X-WUM-REPLYTO: |~| Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:57:59 -0000 Greetings. I don't understand some things. your machine is a mail relay/server, or you haved a host without any firewa= ll between him and the internet? =C2=A0 In the first case, you'll should prefer setting greylisting / tarpitting at= minimum, feeding a firewall table for blacklisting is a neverending story = (plus, there is some real chance blocking real MX relays). =C2=A0 and in the second case a basic pf configuration blocking any incoming attem= pts like: =C2=A0 set skip lo0 # skipping any filtering on lo0 ext_iface=3D"your_network_card_connected_to_internet" pass out quick on $ext_iface all block log quick on $ext_iface all =C2=A0 should be sufficient. for more information about optimizations,=C2=A0 man (5) pf.conf=C2=A0 shoul= d do the trick. =C2=A0 regards. =C2=A0 > Message du 29/03/17 22:05 > De : "Chris H"=20 > A : "FreeBSD pf"=20 > Copie =C3=A0 :=20 > Objet : When should I worry about performance tuning? >=20 > OK. My association with FreeBSD has made me a prime > target for every male hormone distributor on the net. > Fact is; I can guarantee ~89 SPAM attempts in under 5 > minutes, after creating a pr on bugzilla. At first I > was angry, and frustrated. But decided to make it a > challenge/contest, and see my way to thwarting their > attacks. Long story short; I think I'm on the right > track; In just over a month, I've managed to trap > just under 3 million (2,961,264) *bonafide* SPAM sources. > I've been honing, and tuning my approach to insure that > there are zero false positives, and at the same time, > make it more, and more efficient. > So now that I'm dropping packets from *so* many IP's > I'm wondering if it's not time to better tune pf(4). > I've never worked pf hard enough to do any more than > create a table, and a few simple rules. But I think I > need to do more. > Here's the bulk of what I'm using now: >=20 > ################################### > set loginterface re0 > set block-policy drop > set fingerprints "/etc/pf.os" > scrub in all > set skip on lo0 > antispoof quick for lo0 > antispoof for re0 inet >=20 > table persist file "/etc/SPAMMERS" > block in log quick on re0 proto tcp from to port {smtp, submission, > pop3, imap, imaps} > ################################### >=20 > Would set optimization be warranted? > Any thoughts, or advice greatly appreciated! >=20 > --Chris >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Mar 29 21:00:12 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCEA4D2423E for ; Wed, 29 Mar 2017 21:00:12 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BE9519E6 for ; Wed, 29 Mar 2017 21:00:11 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TL0qKv045165; Wed, 29 Mar 2017 14:00:58 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: "Kristof Provost" Cc: "FreeBSD pf" In-Reply-To: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> References: , <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> From: "Chris H" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 14:00:58 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 21:00:13 -0000 On Wed, 29 Mar 2017 22:19:58 +0200 "Kristof Provost" wrote > On 29 Mar 2017, at 22:06, Chris H wrote: > > OK. My association with FreeBSD has made me a prime > > target for every male hormone distributor on the net. > > Fact is; I can guarantee ~89 SPAM attempts in under 5 > > minutes, after creating a pr on bugzilla. At first I > > was angry, and frustrated. But decided to make it a > > challenge/contest, and see my way to thwarting their > > attacks. Long story short; I think I'm on the right > > track; In just over a month, I've managed to trap > > just under 3 million (2,961,264) *bonafide* SPAM sources. > > I've been honing, and tuning my approach to insure that > > there are zero false positives, and at the same time, > > make it more, and more efficient. > > So now that I'm dropping packets from *so* many IP's > > I'm wondering if it's not time to better tune pf(4). > > I've never worked pf hard enough to do any more than > > create a table, and a few simple rules. But I think I > > need to do more. > > Here's the bulk of what I'm using now: > > > > ################################### > > set loginterface re0 > > set block-policy drop > > set fingerprints "/etc/pf.os" > > scrub in all > > set skip on lo0 > > antispoof quick for lo0 > > antispoof for re0 inet > > > > table persist file "/etc/SPAMMERS" > > block in log quick on re0 proto tcp from to port {smtp, > > submission, > > pop3, imap, imaps} > > ################################### > > > > Would set optimization be warranted? > > Any thoughts, or advice greatly appreciated! > > > If I’m reading the code right the table lookup already uses a radix > table > internally, so I would already expect this to perform as well as it’s > going to. > > Arguably you could just drop all traffic from them on all interfaces, > but I > doubt that’ll make a huge difference. > Thanks for the reply, Kristof! If it makes any difference. All the IP's in the table are in CIDR notation, and are of either www.xxx.yyy.0/24, or www.xxx.yyy.zzz/32 It seemed that would be the most efficient approach -- to me, anyway. :-) Thanks again! --Chris From owner-freebsd-pf@freebsd.org Wed Mar 29 21:32:47 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7874D24F5D for ; Wed, 29 Mar 2017 21:32:47 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D11635E2 for ; Wed, 29 Mar 2017 21:32:47 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TLXSID050620; Wed, 29 Mar 2017 14:33:34 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: freebsd-pf@freebsd.org, Martin MATO In-Reply-To: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> References: , <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> From: "Chris H" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 14:33:34 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <8f7914e334440a407fc3a9de4b99d823@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 21:32:48 -0000 On Wed, 29 Mar 2017 22:57:48 +0200 (CEST) Martin MATO wrote > > Message du 29/03/17 22:05 > > De : "Chris H" > > A : "FreeBSD pf" > > Copie à : > > Objet : When should I worry about performance tuning? > > > > OK. My association with FreeBSD has made me a prime > > target for every male hormone distributor on the net. > > Fact is; I can guarantee ~89 SPAM attempts in under 5 > > minutes, after creating a pr on bugzilla. At first I > > was angry, and frustrated. But decided to make it a > > challenge/contest, and see my way to thwarting their > > attacks. Long story short; I think I'm on the right > > track; In just over a month, I've managed to trap > > just under 3 million (2,961,264) *bonafide* SPAM sources. > > I've been honing, and tuning my approach to insure that > > there are zero false positives, and at the same time, > > make it more, and more efficient. > > So now that I'm dropping packets from *so* many IP's > > I'm wondering if it's not time to better tune pf(4). > > I've never worked pf hard enough to do any more than > > create a table, and a few simple rules. But I think I > > need to do more. > > Here's the bulk of what I'm using now: > > > > ################################### > > set loginterface re0 > > set block-policy drop > > set fingerprints "/etc/pf.os" > > scrub in all > > set skip on lo0 > > antispoof quick for lo0 > > antispoof for re0 inet > > > > table persist file "/etc/SPAMMERS" > > block in log quick on re0 proto tcp from to port {smtp, submission, > > pop3, imap, imaps} > > ################################### > > > > Would set optimization be warranted? > > Any thoughts, or advice greatly appreciated! > > > Greetings. > > I don't understand some things. > > your machine is a mail relay/server, or you haved a host without any firewall > between him and the internet? > > > > In the first case, you'll should prefer setting greylisting / tarpitting at > minimum, feeding a firewall table for blacklisting is a neverending story > (plus, there is some real chance blocking real MX relays). > > > > and in the second case a basic pf configuration blocking any incoming > attempts like: > > > > set skip lo0 # skipping any filtering on lo0 > > ext_iface="your_network_card_connected_to_internet" > > pass out quick on $ext_iface all > block log quick on $ext_iface all > > > > should be sufficient. > > for more information about optimizations, man (5) pf.conf should do the > trick. > > Thanks for the reply, Martin. It (currently) has only one [inet] facing NIC. It's an MX for some 60 domains. I have zero reason to think I am, or will drop packets from an innocent/legitimate MX. I also monitor/filter http/www. In fact, I'm now at a point that I can tell you which computers are drones, which web software is now vulnerable, and how to subvert that web software. It's not terribly uncommon to get over 500 identical (subversive) requests, from over five hundred unique IP's, in under 4 seconds. Which pretty much guarantees that they came from drones (p0wned boxes). To your point regarding other methods of filtering (greylisting, etc...). I've used those, as well as RBL services, and in ALL cases they fell short of their objective(s). They either weren't flexible enough, or (frequently) blocked innocent senders. This is my attempt to overcome those shortcomings. I'm filtering in ways that none of the other methods seem to have thought of, or perhaps couldn't figure out how. I'm also not convinced the additional overhead that an additional NIC would add, would be beneficial (tho I could be wrong). :) In any case. So far, my filtering has only improved. I expect in another month. I'll be ready to either open a service, or the method (source) itself to accomplish all this. :-) Thanks again, for taking the time to respond, Martin! --Chris From owner-freebsd-pf@freebsd.org Wed Mar 29 23:22:11 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAC9BD24370 for ; Wed, 29 Mar 2017 23:22:11 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta29p.bpe.bigpond.com (viclamta29p.bpe.bigpond.com [203.38.21.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 88B3FFF3 for ; Wed, 29 Mar 2017 23:22:09 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep22p-svc.bpe.nexus.telstra.com.au with ESMTP id <20170329212056.FHVD17692.viclafep22p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Thu, 30 Mar 2017 08:20:56 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.3.29.203916:17:7.944, ip=110.141.193.233, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __IN_REP_TO, __HAS_MSGID, __SANE_MSGID, __REFERENCES, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __SUBJ_ALPHA_NEGATE, __NO_HTML_TAG_RAW, BODY_SIZE_700_799, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, IN_REP_TO, MSG_THREAD, __TO_REAL_NAMES, LEGITIMATE_SIGNS, NO_URI_FOUND, NO_CTA_URI_FOUND, BODY_SIZE_1000_LESS, BODY_SIZE_2000_LESS, RDNS_SUSP, __MIME_TEXT_P, REFERENCES, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.015-1) id 58DBC0A1000DD52C for freebsd-pf@freebsd.org; Thu, 30 Mar 2017 08:20:56 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v2TLKurH066384 for ; Thu, 30 Mar 2017 08:20:56 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v2TLKteJ066381 for ; Thu, 30 Mar 2017 08:20:56 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Thu, 30 Mar 2017 08:20:55 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: re: When should I worry about performance tuning? In-Reply-To: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> Message-ID: References: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 23:22:11 -0000 On Wed, 29 Mar 2017, Martin MATO wrote: > In the first case, you'll should prefer setting greylisting / tarpitting > at minimum, feeding a firewall table for blacklisting is a neverending > story (plus, there is some real chance blocking real MX relays). A judicious selection of DNSBLs and enforcement of RFC-compliance etc do the trick for me; I block several hundred attempts each day, with very few false positives and hardly any getting through (and I don't mind wasting SMTP cycles). And was the OP really blocking only a few ports and allowing the rest? If so, that's backwards to good practice. -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Wed Mar 29 23:53:08 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D01DD24D16 for ; Wed, 29 Mar 2017 23:53:08 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F16488F5 for ; Wed, 29 Mar 2017 23:53:07 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TNrmLG099795; Wed, 29 Mar 2017 16:53:54 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: FreeBSD PF List , Dave Horsfall In-Reply-To: References: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03>, From: "Chris H" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 16:53:54 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <773b235971b4a8fa34d084222e018b4b@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 23:53:08 -0000 On Thu, 30 Mar 2017 08:20:55 +1100 (EST) Dave Horsfall wrote > On Wed, 29 Mar 2017, Martin MATO wrote: > > > In the first case, you'll should prefer setting greylisting / tarpitting > > at minimum, feeding a firewall table for blacklisting is a neverending > > story (plus, there is some real chance blocking real MX relays). > > A judicious selection of DNSBLs and enforcement of RFC-compliance etc do > the trick for me; I block several hundred attempts each day, with very few > false positives and hardly any getting through (and I don't mind wasting > SMTP cycles). I'm currently blocking (filtering) several hundred/hr > > And was the OP really blocking only a few ports and allowing the rest? Nope. Blocking all unused ports && filtering on the rest. :-) > If so, that's backwards to good practice. Indeed. I couldn't agree more. --Chris > > -- > Dave Horsfall DTM (VK2KFU) "Those who don't understand security will > suffer." _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Thu Mar 30 04:38:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03364D25401 for ; Thu, 30 Mar 2017 04:38:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7566181 for ; Thu, 30 Mar 2017 04:38:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2U4cWEg091439 for ; Thu, 30 Mar 2017 04:38:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Thu, 30 Mar 2017 04:38:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 04:38:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #8 from Max --- I think the problem is in pf_create_state(): /* check maximums */ if (r->max_states && (counter_u64_fetch(r->states_cur) >=3D r->max_states)) { counter_u64_add(V_pf_status.lcounters[LCNT_STATES], 1); REASON_SET(&reason, PFRES_MAXSTATES); return (PF_DROP); } We can't just return here. Arguably we should "goto csfailed;" instead. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Mar 30 08:36:44 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF1A4D23640 for ; Thu, 30 Mar 2017 08:36:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF0549C9 for ; Thu, 30 Mar 2017 08:36:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2U8aiBF099004 for ; Thu, 30 Mar 2017 08:36:44 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Thu, 30 Mar 2017 08:36:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 08:36:44 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #9 from Max --- It seems that I'm right. The problem has gone. Hope that someone more experienced will review this fix. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Mar 30 11:29:42 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01486D22066 for ; Thu, 30 Mar 2017 11:29:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E54DBD9C for ; Thu, 30 Mar 2017 11:29:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2UBTfkC048834 for ; Thu, 30 Mar 2017 11:29:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Thu, 30 Mar 2017 11:29:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_severity Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 11:29:42 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 Robert Schulze changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Affects Only Me |Affects Some People --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Mar 30 18:18:24 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5813AD26DAD for ; Thu, 30 Mar 2017 18:18:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47F5C85E for ; Thu, 30 Mar 2017 18:18:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2UIIOhn013968 for ; Thu, 30 Mar 2017 18:18:24 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Thu, 30 Mar 2017 18:18:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 18:18:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #10 from Kristof Provost --- (In reply to Max from comment #9) It looks like you've certainly found a bug. It's clearly wrong to not free = sk and nk in that error path. I've had a quick look at the OpenBSD history and they also fixed this (though slightly differently) a while back. Good catch. Robert, can you confirm this fixes your problem? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Mar 30 18:59:45 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 097ECD26B80 for ; Thu, 30 Mar 2017 18:59:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED9D18CB for ; Thu, 30 Mar 2017 18:59:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2UIxiU9008971 for ; Thu, 30 Mar 2017 18:59:44 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Thu, 30 Mar 2017 18:59:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 18:59:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #11 from Max --- (In reply to Kristof Provost from comment #10) I've done basic tests. It works. I can post some counters here. Perhaps we should test it without rdr/nat rule. By the way, "pfctl -Fi" (flush info) does not clear "Limit Counters" in "pf= ctl -vsi" output. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Mar 31 07:57:32 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D7CED27315 for ; Fri, 31 Mar 2017 07:57:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40622F89 for ; Fri, 31 Mar 2017 07:57:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2V7vW3g089034 for ; Fri, 31 Mar 2017 07:57:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Fri, 31 Mar 2017 07:57:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 07:57:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #12 from Robert Schulze --- Since the affected machine is critical and cannot be rebooted without care,= I cannot confirm the fix right now. My primary intention was to report the misbehaviour. If a planned reboot takes place, I will patch the kernel beforehand and then talk back to you.=20 Nevertheless, I think if two people agree on a simple fix, and the same bug= was present in OpenBSD's pf, this should be the solution. Thank you very much. Robert Schulze --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Mar 31 09:57:15 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76971D26FC0 for ; Fri, 31 Mar 2017 09:57:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6133F81A for ; Fri, 31 Mar 2017 09:57:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2V9vD8q016608 for ; Fri, 31 Mar 2017 09:57:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Fri, 31 Mar 2017 09:57:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 09:57:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #13 from Robert Schulze --- By the way: could someone please attach a patch based on the assumptions you made? regards, Robert Schulze --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Mar 31 11:51:26 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F5F9D27F00 for ; Fri, 31 Mar 2017 11:51:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 77A47334 for ; Fri, 31 Mar 2017 11:51:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2VBpPed010310 for ; Fri, 31 Mar 2017 11:51:26 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Fri, 31 Mar 2017 11:51:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 11:51:26 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #14 from Max --- --- sys/netpfil/pf/pf.c.orig 2017-03-30 09:54:22.056490000 +0000 +++ sys/netpfil/pf/pf.c 2017-03-30 09:55:10.735221000 +0000 @@ -3508,7 +3508,7 @@ (counter_u64_fetch(r->states_cur) >=3D r->max_states)) { counter_u64_add(V_pf_status.lcounters[LCNT_STATES], 1); REASON_SET(&reason, PFRES_MAXSTATES); - return (PF_DROP); + goto csfailed; } /* src node for filter rule */ if ((r->rule_flag & PFRULE_SRCTRACK || --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Mar 31 22:50:04 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C176AD271C8 for ; Fri, 31 Mar 2017 22:50:04 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta40p.bpe.bigpond.com (viclamta40p.bpe.bigpond.com [203.38.21.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A2ED98C9 for ; Fri, 31 Mar 2017 22:50:00 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep25p-svc.bpe.nexus.telstra.com.au with ESMTP id <20170331212942.LNXE14449.viclafep25p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sat, 1 Apr 2017 08:29:42 +1100 X-RG-Spam: Suspect X-Junkmail-Premium-Raw: score=74/83, refid=2.7.2:2017.3.31.204217:17:74.077, ip=110.141.193.233, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, INFO_TLD, __URI_NO_WWW, __CP_NAME_BODY, __NO_HTML_TAG_RAW, BODY_SIZE_1100_1199, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, __URI_NS, SXL_URI[manualpratico.info.uri], HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __TO_REAL_NAMES, BODY_SIZE_2000_LESS, RDNS_SUSP, __MIME_TEXT_P, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.015-1) id 58C94D650356265E for freebsd-pf@freebsd.org; Sat, 1 Apr 2017 08:29:42 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v2VLTfkV081877 for ; Sat, 1 Apr 2017 08:29:41 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v2VLTf3O081874 for ; Sat, 1 Apr 2017 08:29:41 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 1 Apr 2017 08:29:41 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Getting auto-block to work Message-ID: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 22:50:04 -0000 Does anyone have a PF rule that actually blocks woodpeckers? I have this rule: pass inet proto tcp from any to any port smtp \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 2/20, \ overload flush global) I understand that as being no more than twice in twenty seconds (which is amply generous by my reading of the RFC), but it's not working; for example, the latest problem-child is: Date: Mar 31 00:04:10 (v2UD3uT2070289) from= relay=server1.manualpratico.info [186.251.128.25] reject=450 4.7.1 ... I greylist .info Date: Mar 31 00:14:25 (v2UDEBaT070308) from= relay=server1.manualpratico.info [186.251.128.25] reject=450 4.7.1 ... I greylist .info continuing every 15 seconds (and I've seen much worse) which I have manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't PF supposed to do that for me? (And yes, Sendmail also has this non-working "feature", but that's OT.) -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Fri Mar 31 23:20:36 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D75AD27985 for ; Fri, 31 Mar 2017 23:20:36 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D9FA09A5 for ; Fri, 31 Mar 2017 23:20:35 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BA0512846B; Sat, 1 Apr 2017 01:20:32 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id A7DEE28458; Sat, 1 Apr 2017 01:20:31 +0200 (CEST) Subject: Re: Getting auto-block to work To: Dave Horsfall , FreeBSD PF List References: From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <58DEE43F.9070807@quip.cz> Date: Sat, 1 Apr 2017 01:20:31 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 23:20:36 -0000 Dave Horsfall wrote on 2017/03/31 23:29: > Does anyone have a PF rule that actually blocks woodpeckers? I have this > rule: > > pass inet proto tcp from any to any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 2/20, \ > overload flush global) > > I understand that as being no more than twice in twenty seconds (which is > amply generous by my reading of the RFC), but it's not working; for > example, the latest problem-child is: > > Date: Mar 31 00:04:10 (v2UD3uT2070289) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > Date: Mar 31 00:14:25 (v2UDEBaT070308) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > continuing every 15 seconds (and I've seen much worse) which I have > manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't > PF supposed to do that for me? > > (And yes, Sendmail also has this non-working "feature", but that's OT.) Are you sure that each delivery attempt is separate TCP connection? SMTP allows many messages in one opened session. I am using this for blocking SSH attacks block drop in quick from to any pass in log on $ext_if proto tcp from any to { $ext_addr, $jail_addr } port $ext_ssh flags S/SA keep state \ (max-src-conn 6, max-src-conn-rate 6/60, overload flush global) Miroslav Lachman From owner-freebsd-pf@freebsd.org Sat Apr 1 00:04:21 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43B96D276D2 for ; Sat, 1 Apr 2017 00:04:21 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C215A55 for ; Sat, 1 Apr 2017 00:04:21 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1cu6Wf-0006Gz-Vk; Sat, 01 Apr 2017 01:04:18 +0100 Date: Sat, 1 Apr 2017 01:04:17 +0100 From: Gary Palmer To: Dave Horsfall Cc: FreeBSD PF List Subject: Re: Getting auto-block to work Message-ID: <20170401000417.GC32477@in-addr.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 00:04:21 -0000 On Sat, Apr 01, 2017 at 08:29:41AM +1100, Dave Horsfall wrote: > Does anyone have a PF rule that actually blocks woodpeckers? I have this > rule: > > pass inet proto tcp from any to any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 2/20, \ > overload flush global) > > I understand that as being no more than twice in twenty seconds (which is > amply generous by my reading of the RFC), but it's not working; for > example, the latest problem-child is: > > Date: Mar 31 00:04:10 (v2UD3uT2070289) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > Date: Mar 31 00:14:25 (v2UDEBaT070308) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > continuing every 15 seconds (and I've seen much worse) which I have > manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't > PF supposed to do that for me? > > (And yes, Sendmail also has this non-working "feature", but that's OT.) Are you sure those are new connections and that the remote side isn't just doing RSET and trying again on the same connection? If it's not making new connections, PF won't pick it up Regards, Gary From owner-freebsd-pf@freebsd.org Sat Apr 1 00:26:43 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9EC3D27EE7 for ; Sat, 1 Apr 2017 00:26:43 +0000 (UTC) (envelope-from chrish@UltimateDNS.NET) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6F98D939 for ; Sat, 1 Apr 2017 00:26:41 +0000 (UTC) (envelope-from chrish@UltimateDNS.NET) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v310RVHr069434 for ; Fri, 31 Mar 2017 17:27:38 -0700 (PDT) (envelope-from chrish@UltimateDNS.NET) To: In-Reply-To: References: From: "Chris H" Subject: Re: Getting auto-block to work Date: Fri, 31 Mar 2017 17:27:38 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <5acabd92697e0896d938b1183d5359e3@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 00:26:43 -0000 On Sat, 1 Apr 2017 08:29:41 +1100 (EST) Dave Horsfall wrote > Does anyone have a PF rule that actually blocks woodpeckers? I have this > rule: > > pass inet proto tcp from any to any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 2/20, \ > overload flush global) I could never get that to work, either. > > I understand that as being no more than twice in twenty seconds (which is > amply generous by my reading of the RFC), but it's not working; for > example, the latest problem-child is: > > Date: Mar 31 00:04:10 (v2UD3uT2070289) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > Date: Mar 31 00:14:25 (v2UDEBaT070308) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > continuing every 15 seconds (and I've seen much worse) which I have > manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't > PF supposed to do that for me? > > (And yes, Sendmail also has this non-working "feature", but that's OT.) OFF TOPIC The following works famously for me in my (hostname).mc file: FEATURE(greet_pause, `6000') as does: define(`confCONNECTION_RATE_THROTTLE', `2') HTH As for OT; I'd have sent it to you off list. But your bouncing me. --Chris From owner-freebsd-pf@freebsd.org Sat Apr 1 12:23:03 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A620D27C34 for ; Sat, 1 Apr 2017 12:23:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 279408F8 for ; Sat, 1 Apr 2017 12:23:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v31CN2Bb013015 for ; Sat, 1 Apr 2017 12:23:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Sat, 01 Apr 2017 12:23:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 12:23:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #15 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Sat Apr 1 12:22:34 UTC 2017 New revision: 316355 URL: https://svnweb.freebsd.org/changeset/base/316355 Log: pf: Fix leak of pf_state_keys If we hit the state limit we returned from pf_create_state() without clea= ning up. PR: 217997 Submitted by: Max MFC after: 1 week Changes: head/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.=