From owner-freebsd-pf@FreeBSD.ORG Fri Mar 28 17:09:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 323681065677 for ; Fri, 28 Mar 2008 17:09:33 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 0ACDB8FC19 for ; Fri, 28 Mar 2008 17:09:32 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JfHgQ-0000hT-4u for freebsd-pf@freebsd.org; Fri, 28 Mar 2008 16:44:02 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JfHgP-0001V0-W5 for freebsd-pf@freebsd.org; Fri, 28 Mar 2008 16:44:02 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id CDD9E8E296; Fri, 28 Mar 2008 11:44:01 -0500 (CDT) Date: Fri, 28 Mar 2008 11:44:01 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080328164401.GE29001@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0290@cetus.dawnsign.com> <20080326025316.GA68607@eos.sc1.parodius.com> <47EA12CA.90305@nviz.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <47EA12CA.90305@nviz.net> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2008 17:09:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg Hennessy wrote: > > Jeremy Chadwick wrote: > > Do not blindly use "keep state" everywhere! > > Hard cases make for bad laws. I have got to point out the error in > the above statement. To expand upon this (for further education), "keep state" is beneficial for two reasons: 1. A state table lookup is more efficient than parsing the rule base for every packet. 2. It is MORE SECURE to use state tables to pass packets, because PF watches the state very closely, and permits only the specific sequence numbers that should be active on the connection. Of course, if that state tracking is buggy, this leads to the failures referenced here: > > There's been too many cases I've experienced where using "keep > > state" blindly results in state-mismatch increasing at a very fast > > rate. When I implemented this mentality on our production servers, > > our users started pointing out that scp's between machines would > > randomly get severed mis-stream, same with ssh sessions where large > > TCP windows were used (such as doing 'dmesg' over and over): What's being described here is a failure of PF to track state correctly. If a user types a command that results in a large amount of output, like "dmesg" or "ls -lR /", the connection will stall because PF isn't permitting the entire window to advance. Greg makes reference to the "modulate state" bug, which I was not aware of, but it is also important to be aware of this: > You miss out the most important bit of the new PF 4.1 state keeping > defaults, 'flags S/SA'. > Our cousins over the road in the OpenBSD neighbourhood have done this > precisely because of the issues caused in prior versions of PF by > using stateless rules and/or establishing TCP state on anything other > than the 3 way handshake. The reason that it's so important to ONLY create state on the initial handshake is that crucial information (namely window-scaling factors) are exchanged ONLY at this time. If PF were to boot up and see a connection only in the middle, it would assume "unscaled" window factors in use, and thus would only permit a very small range of the allowed window, causing severe performance degradation. Establishing state on the initial SYN avoids this problem entirely. > > It gets more confusing when you consider the fact that even though > > UDP and ICMP are stateless protocols, pf can keep track of their > > state too, though I don't know if FreeBSD pf supports that (OpenBSD > > pf does). Of course PF supports this, but "state" on a "stateless" connection is maintained purely with timers. When the timers expire, the state expires. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFH7SBRFSrKRjX5eCoRAvE0AJ4vxqFWA2lhSajoDHc3jX7R/qvrQQCgo67w oOpUudaxHqtN70S6oURstns= =IQZw -----END PGP SIGNATURE-----