From owner-freebsd-bugs@freebsd.org Sat May 14 01:03:19 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15AB8B3A008 for ; Sat, 14 May 2016 01:03:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E1D751249 for ; Sat, 14 May 2016 01:03:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4E13I2a077044 for ; Sat, 14 May 2016 01:03:18 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 209491] Broadcast storm with ipfw+natd+gateway Date: Sat, 14 May 2016 01:03:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: cejkar@fit.vutbr.cz X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2016 01:03:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209491 Bug ID: 209491 Summary: Broadcast storm with ipfw+natd+gateway Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cejkar@fit.vutbr.cz After commit 290383 (replace fastforward path with tryforward), there is atleast one possible system configuration, which can be source of broadcast storm. Simply put in your /etc/rc.conf: firewall_enable=3D"YES" firewall_type=3D"OPEN" natd_enable=3D"YES" natd_interface=3D"em0" gateway_enable=3D"YES" After reboot, you have a divert rule in ipfw with runnig natd: 00050 divert 8668 ip4 from any to any via em0 Then, simply send a broadcast to this system, and it responds with 2 * (TTL= - 1) broadcasts sent back. Have atleast two of these systems on one local subnet with configured samba server, which sends one broadcast per minute, and this is practically sufficient to shut down your site with broadcast storm. Pre-290383 system just receives the broadcast: 08:55:25.167489 IP 10.0.2.4.21680 > 10.0.2.255.netbios-ns: [|SMB] After-290383 system with IP 10.0.2.15 receives the broadcast, and then resp= onds with 126 broadcasts with reowned(translated) source address: 09:02:33.939027 IP 10.0.2.4.21490 > 10.0.2.255.netbios-ns: [|SMB] 09:02:33.939255 IP 10.0.2.15.21490 > 10.0.2.255.netbios-ns: [|SMB] 09:02:33.939303 IP 10.0.2.15.21490 > 10.0.2.255.netbios-ns: [|SMB] 09:02:33.939472 IP 10.0.2.15.44294 > 10.0.2.255.netbios-ns: [|SMB] 09:02:33.939524 IP 10.0.2.15.44294 > 10.0.2.255.netbios-ns: [|SMB] 09:02:33.939630 IP 10.0.2.15.40288 > 10.0.2.255.netbios-ns: [|SMB] 09:02:33.939661 IP 10.0.2.15.40288 > 10.0.2.255.netbios-ns: [|SMB] ... (I thought that it was just one or two replied broadcasts, but in my testing environment in VirtualBox with two systems, one sending broadcast and one storming, it really showed this output and I could not find any other explanation of this. However, example above with one samba server and three storming systems was really real...) --=20 You are receiving this mail because: You are the assignee for the bug.=