Date: Tue, 14 Apr 2009 17:41:56 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: max-src-conn issue Message-ID: <200904141741.56835.max@love2party.net> In-Reply-To: <49E39547.201@citrin.ru> References: <49E39547.201@citrin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Anton, On Monday 13 April 2009 21:40:55 Anton Yuzhaninov wrote: > It seems to be, that max-src-conn is broken under FreeBSD, and not useful > to limit incoming connections. >... > New state not created, but packets matched first rule is passed, while > should be dropped. > > Because of this new half-open connection is created (in SYN_RCVD state). > > This makes max-src-conn not very useful under FreeBSD - bad guys can eat as > many sockets as they want on attacked host, even when number of connections > is limited by pf. > > $ uname -psv > > FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 > citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64 > > I have tested same rules on OpenBSD 4.4 - they works as expected - when > limit reached, packets matched by first rule dropped, and new state not > created. This is indeed a problem in FreeBSD. A workaround solution is to use "synproxy state" instead of a simple "keep state" - this way the connection won't make it through to the final destination and is blocked at the firewall. The fix is a bit intrusive, but I might get to it - could you submit a PR with your analysis, please? Possibly add if the "synproxy state" workaround fixes things for you. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904141741.56835.max>