From nobody Wed Sep 28 10:00:48 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4McsSf5SNfz4dTYf for ; Wed, 28 Sep 2022 10:00:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4McsSf53F0z3DrN; Wed, 28 Sep 2022 10:00:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664359250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=weL1v8/9exIDzkZYuTsDYOZVgK1f4Ddr+TaCXF7taP0=; b=BBrFKXuYfwyIczynO7kFOq+8mdKfh+a00rY8VdNCGiOKcZIESRkGn01k4vD9ZnXWWJBsxy qpjKA825WxAflRevMG7vobqNk9ixuAL98ZdYqiGH3P8ae8ecf3TgI8x+fzOkVwmeO4P9u/ GEiYzRAjq2nApbuWbXzTaKKD0gHGTWc30x7rrvEVcdvhWeTyQLg/xIG1xIgQMpWj6a5p1g /Pm2Tu34ARlnEUpXJJtMORU8pThMq62qvwX44mII0zDLC73ajbCR/tg4LOke+gwiRT5hMF sGWwHZ4WyTD5npRqodXdJfV5hzBjXKfqNFeahb2LV5WopkGhjhzU1kcOqt7WRw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4McsSf3NQ4zrFY; Wed, 28 Sep 2022 10:00:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 08DC932F79; Wed, 28 Sep 2022 12:00:48 +0200 (CEST) From: Kristof Provost To: Eirik =?utf-8?q?=C3=98verby?= Cc: "Lyndon Nerenberg (VE7TFX/VE6BBM)" , FreeBSD pf Subject: Re: RFC: enabling pf syncookies by default Date: Wed, 28 Sep 2022 12:00:48 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: <110D82E0-1A45-4665-9FB6-55001FB2BC34@FreeBSD.org> In-Reply-To: <6e1bfd9b47bd851de7b0c57862e960f0d80afe67.camel@modirum.com> References: <6e1bfd9b47bd851de7b0c57862e960f0d80afe67.camel@modirum.com> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664359250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=weL1v8/9exIDzkZYuTsDYOZVgK1f4Ddr+TaCXF7taP0=; b=FoQYaLMQ8krZjXaeP+op7O+8x+5JLKCD1PWQYbjrWYUQ7gZZJaXSTqC4y4eEeQ8MVb5lCy 5Ypg17KcWFBwO8aAjqZ/CTF35sL+kb0WCiWOTge1v2Hmp84PHFiJgpUXDuNzarR0JaOogU eUFfdeTBEbXGLs+cBWb5BAOLeBF4Sp1Y9FcwvnIiHBLOGV9xvBjpxmesKOHia58AvmS7af 7TNRYjsLPSAdOsoijfKYO8gkmJ/WMJyZ0qvkjPQ3F1eIf1hyz3xetaT9g33zFxjyIXTXmg VF9hIbxVNCm7yaC6pzWJHcBF5ScbUsGHC++jUOCAg89uteu10yCctYocrth9yQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664359250; a=rsa-sha256; cv=none; b=opfkxloWya2SQ3MKQcpz39D7HQmPQ6mTdwGuta/HEclFjgB5+y5WgQp5nsdo/Rt/o2o9cT NPF2SP4GaFVBAPOXgovqS4p/Id5B2F3NxQLXMW2YEBc/+drEKmao2n/4LXNkszCm+2poL6 ZH+DGfBsHzqRaUSbpsSj9s4UPwBa7/+X8TKRblch08mch0MHnUpyRSDksJMjrQKoUOrK9F DtoAd7DVKVGdl+Z9Kq1haHFYLfQrDg8pU37a2PZMYQtQ49YaeTLPBJEAB91BoRA28wJufW XaT5IRiZcP9N2BeBAvDh1+WdEyzI7zaXvB2lmDNBLmn+LDcrwdodia5JDyxmfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 28 Sep 2022, at 11:53, Eirik =C3=98verby wrote: > On Wed, 2022-09-28 at 11:44 +0200, Kristof Provost wrote: >> On 27 Sep 2022, at 21:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: >>> Kristof Provost writes: >>> >>>> For those not familiar with it, syncookies are a mechanism to resist= syn >>>> flood DoS attacks. They=E2=80=99re enabled by default in the IP stac= k, but if >>>> you=E2=80=99re running pf a syn flood would still exhaust pf=E2=80=99= s state table, >>>> even if the network stack itself could cope. >>> >>> I'm not sure of the lineage of pf's syncookie code in FreeBSD, but >>> before you do this you should look at the recent set of patches >>> Henning committed to the OpenBSD -snapshot pf source. >>> >>> We found an evil bug lurking in pf where, if a single source address >>> was recycling source ports fast enough to re-use the same source >>> addr:port pair while the old connection still had a FINWAIT2 state >>> table entry, the new connection attempt would get dropped on the >>> floor. The patch cleaned up most of the problem, but when we >>> recently put the patched pf into production we were still seeing >>> dropped connection requests. We haven't been able to specifically >>> reproduce the problem yet, but if you're front-ending a busy web >>> site, e.g., I would be wary of enabling syncookies at the moment >>> until this bug gets stamped out once and for all. >>> >> Thanks for this update. Henning told me about the fast re-use issue du= ring EuroBSD, and I had looking at that on my todo list. >> >> I=E2=80=99ve not yet heard any reports of similar issues on FreeBSD, b= ut that doesn=E2=80=99t mean they don=E2=80=99t exist of course. >> >> At a minimum I=E2=80=99ll hold off on making this change until I=E2=80= =99ve had a chance to work out if we=E2=80=99re affected by the issue Hen= ning fixed or not. >> >> Eirik, do you have instrumentation to work out if this is happening to= you? > > Sadly no - we'd need some guidance on that. But I assume it would only > be an issue if we're above the watermark for adaptive mode, right? > Yes. While we=E2=80=99re inactive in adaptive mode there=E2=80=99s no dif= ference in behaviour. Kristof