From owner-freebsd-stable@FreeBSD.ORG Thu Sep 9 21:19:13 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34A0810656F9 for ; Thu, 9 Sep 2010 21:19:13 +0000 (UTC) (envelope-from oberman@es.net) Received: from mailgw.es.net (mail1.es.net [IPv6:2001:400:201:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 1C12F8FC08 for ; Thu, 9 Sep 2010 21:19:13 +0000 (UTC) Received: from ptavv.es.net (ptavv.es.net [IPv6:2001:400:910::29]) by mailgw.es.net (8.14.3/8.14.3) with ESMTP id o89LJB1a016922 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 9 Sep 2010 14:19:11 -0700 Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 2EA991CC3A; Thu, 9 Sep 2010 14:19:11 -0700 (PDT) To: "Marat N.Afanasyev" In-reply-to: Your message of "Thu, 09 Sep 2010 22:03:10 +0400." <4C89215E.7010203@ksu.ru> Date: Thu, 09 Sep 2010 14:19:11 -0700 From: "Kevin Oberman" Message-Id: <20100909211911.2EA991CC3A@ptavv.es.net> Cc: Gareth de Vaux , stable@freebsd.org Subject: Re: ipfw: Too many dynamic rules X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 21:19:13 -0000 > Date: Thu, 09 Sep 2010 22:03:10 +0400 > From: "Marat N.Afanasyev" > Sender: owner-freebsd-stable@freebsd.org > > Gareth de Vaux wrote: > > Hi again, I use some keep-state rules in ipfw, but get the following > > kernel message: > > > > kernel: ipfw: install_state: Too many dynamic rules > > > > when presumably my state table reaches its limit (and I effectively > > get DoS'd). > > > > netstat shows tons of connections in FIN_WAIT_2 state, mostly to > > my webserver. Consequently net.inet.ip.fw.dyn_count is large too. > > > > I can increase my net.inet.ip.fw.dyn_max but the new limit will > > simply be reached later on. > > > > I currently get around this with a cronjob that sets > > net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes > > every night. If I leave it at 0 for longer or indefinitely then > > idle ssh sessions and the like are dropped. This works fine for > > me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1? > > Or with Apache? > > > > I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour > > on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I > > have a KeepAliveTimeout of 4 in Apache (2.2.16). > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > > I wonder, are these dynamic rules really necessary? let's see, a client > connects to your web-server and you immediately should create a new > dynamic rule, therefore you participate in this DoS attack as well as > attacker. ;) I'll be more blunt...stateful firewalls should NEVER be placed in front of externally accessible services. Access filters are fine, but stateful firewalls are nothing but a denial of service waiting to happen. Security pros have always know this, but too many folks insist that there be a firewall in front of everything and that is simply an invitation to problems. Marat is right! Just don't even try. An attacker can ALWAYS overwhelm the state tables in a stateful firewall. It's just way too easy. There was a long discussion of this a while back on a network ops list I participate in and noobs kept claiming that you have to have a stateful firewall in front of everything while the real operational security folks (like those at Y! and Google) kept explaining that it just does not work. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751