From nobody Sun Sep 18 05:12:16 2022 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MVbZ25qs3z47N12 for ; Sun, 18 Sep 2022 05:13:46 +0000 (UTC) (envelope-from darius@dons.net.au) Received: from midget.dons.net.au (2403-5800-5200-4700-225-90ff-fe47-39b4.ip6.aussiebb.net [IPv6:2403:5800:5200:4700:225:90ff:fe47:39b4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "dons.net.au", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MVbYz5SrZz3P8S for ; Sun, 18 Sep 2022 05:13:43 +0000 (UTC) (envelope-from darius@dons.net.au) Received: from midget.dons.net.au (localhost [127.0.0.1]) by midget.dons.net.au (8.17.1/8.16.1) with ESMTPS id 28I5Cs6W028453 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sun, 18 Sep 2022 14:43:00 +0930 (ACST) (envelope-from darius@dons.net.au) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dons.net.au; s=default; t=1663477984; bh=9dIvI0t1JqjIUnTVUu3fhhs8/Zpwh6FUMG+NiUuGIcI=; h=From:Date:Subject:To; b=hgbkk0JwMKV5BhWt4N5WMxESh14CPG6YaLyksbzJ+6J6ul25QRXCND2fEbmQdsdIN T4El0o4cVFsmKwsT8skQhoFTgaN1BgxroTC7WbGELFaL9I2AEqF64+z7rDV4d2/v6P oswLT5/JkmdAXc7D2uTCD9XmV91NwUqNW4pM+J0o= Received: (from mailnull@localhost) by midget.dons.net.au (8.17.1/8.16.1/Submit) id 28I5CRrC028437 for ; Sun, 18 Sep 2022 14:42:27 +0930 (ACST) (envelope-from darius@dons.net.au) X-MIMEDefang-Relay-a1a524833438212bf543e143edafb27bc4d2c346: 2403:5800:5200:4700:807e:f948:633b:3649 Received: from smtpclient.apple ([IPv6:2403:5800:5200:4700:807e:f948:633b:3649] [2403:5800:5200:4700:807e:f948:633b:3649]) by 2403-5800-5200-4700-225-90ff-fe47-39b4.ip6.aussiebb.net (envelope-sender ) (MIMEDefang) with ESMTP id 28I5CRkq028432; Sun, 18 Sep 2022 14:42:27 +0930 From: "Daniel O'Connor" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Date: Sun, 18 Sep 2022 14:42:16 +0930 Subject: PF ICMP generation Message-Id: <6D714670-CE96-4F85-B521-464852909ABD@dons.net.au> To: freebsd-stable X-Mailer: Apple Mail (2.3696.120.41.1.1) X-Spam-Score: 1.3 (*) No, score=1.3 required=5.0 tests=RDNS_NONE,SPF_HELO_NONE, T_SPF_PERMERROR autolearn=no autolearn_force=no version=3.4.5 X-Scanned-By: MIMEDefang 2.84 on 10.0.2.1 X-Rspamd-Queue-Id: 4MVbYz5SrZz3P8S X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dons.net.au header.s=default header.b=hgbkk0Jw; dmarc=pass (policy=quarantine) header.from=dons.net.au; spf=pass (mx1.freebsd.org: domain of darius@dons.net.au designates 2403:5800:5200:4700:225:90ff:fe47:39b4 as permitted sender) smtp.mailfrom=darius@dons.net.au X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-0.91)[-0.905]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[dons.net.au,quarantine]; R_DKIM_ALLOW(-0.20)[dons.net.au:s=default]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[dons.net.au:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; ASN(0.00)[asn:4764, ipnet:2403:5800::/32, country:AU]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, I discovered recently my firewall rules were allowing NTP in and I had a = misconfigured host which was spamming traffic. I ended up moving the = host to a different IP (and fixing the firewall rule) but now I find the = router (which I recently updated to FreeBSD 13.1-RELEASE-p2, from 12) is = generating mounds of ICMP unreachable traffic: 14:10:30.572851 IP a.a.a.a > 201.150.126.195: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.572865 IP a.a.a.a > 201.150.127.67: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.572872 IP a.a.a.a > 201.150.126.195: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.573661 IP a.a.a.a > 201.150.126.67: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.574262 IP a.a.a.a > 201.150.126.195: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.574273 IP a.a.a.a > 201.150.127.67: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.574280 IP a.a.a.a > 201.150.127.67: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.575212 IP a.a.a.a > 201.150.127.67: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.575222 IP a.a.a.a > 201.150.127.195: ICMP b.b.b.b udp port 123 = unreachable, length 44 14:10:30.575239 IP a.a.a.a > 201.150.126.195: ICMP b.b.b.b udp port 123 = unreachable, length 44 Where a.a.a.a is the IP of the router (static from the ISP) and b.b.b.b = is the (publicly routable) IP of the machine I changed the IP for. The normal ICMP rate limiting does not seem to be working: = net.inet.icmp.icmplim is the default of 200, and I do not see any = "Limiting icmp unreach response from NNNN to 200 packets/sec" messages = which I have definitely seen before. Blocking the IPs it is sending to in pf does not seem to stop the = traffic. I then ran dtrace to try and work out which code was generating the ICMP = traffic: [portero 14:25] ~ >sudo dtrace -n 'fbt::icmp_error:entry { = @stacks[stack()] =3D count(); }' dtrace: description 'fbt::icmp_error:entry ' matched 1 probe ^C pf.ko`pf_intr+0x1e5 kernel`fork_exit+0x7e kernel`0xffffffff810885ee 15273 I then realised that my PF default block policy was 'return' rather than = 'drop' - once I changed that it was good. However I think it is pretty surprising that PF does not implement the = ICMP rate limiter (net.inet.icmp.icmplim). I checked the code and I think it would not be too difficult to add a = called to badport_bandlim() to either pf_intr or pf_send_icmp but I = haven't tried it yet. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum