Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 09 Sep 2010 14:19:11 -0700
From:      "Kevin Oberman" <oberman@es.net>
To:        "Marat N.Afanasyev" <amarat@ksu.ru>
Cc:        Gareth de Vaux <bsd@lordcow.org>, stable@freebsd.org
Subject:   Re: ipfw: Too many dynamic rules 
Message-ID:  <20100909211911.2EA991CC3A@ptavv.es.net>
In-Reply-To: Your message of "Thu, 09 Sep 2010 22:03:10 %2B0400." <4C89215E.7010203@ksu.ru> 

next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Thu, 09 Sep 2010 22:03:10 +0400
> From: "Marat N.Afanasyev" <amarat@ksu.ru>
> Sender: owner-freebsd-stable@freebsd.org
> 
> Gareth de Vaux wrote:
> > Hi again, I use some keep-state rules in ipfw, but get the following
> > kernel message:
> >
> > kernel: ipfw: install_state: Too many dynamic rules
> >
> > when presumably my state table reaches its limit (and I effectively
> > get DoS'd).
> >
> > netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> > my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
> >
> > I can increase my net.inet.ip.fw.dyn_max but the new limit will
> > simply be reached later on.
> >
> > I currently get around this with a cronjob that sets
> > net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes
> > every night. If I leave it at 0 for longer or indefinitely then
> > idle ssh sessions and the like are dropped. This works fine for
> > me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1?
> > Or with Apache?
> >
> > I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour
> > on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I
> > have a KeepAliveTimeout of 4 in Apache (2.2.16).
> > _______________________________________________
> > freebsd-stable@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
> >
> I wonder, are these dynamic rules really necessary? let's see, a client 
> connects to your web-server and you immediately should create a new 
> dynamic rule, therefore you participate in this DoS attack as well as 
> attacker. ;)

I'll be more blunt...stateful firewalls should NEVER be placed in front
of externally accessible services. Access filters are fine, but stateful
firewalls are nothing but a denial of service waiting to
happen. Security pros have always know this, but too many folks insist
that there be a firewall in front of everything and that is simply an
invitation to problems.

Marat is right! Just don't even try. An attacker can ALWAYS overwhelm
the state tables in a stateful firewall. It's just way too easy. There
was a long discussion of this a while back on a network ops list I
participate in and noobs kept claiming that you have to have a stateful
firewall in front of everything while the real operational security folks
(like those at Y! and Google) kept explaining that it just does not
work.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100909211911.2EA991CC3A>