From owner-freebsd-pf@freebsd.org  Fri Sep 22 10:07:55 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A52F4E22067
 for <freebsd-pf@mailman.ysv.freebsd.org>; Fri, 22 Sep 2017 10:07:55 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9321864423
 for <freebsd-pf@FreeBSD.org>; Fri, 22 Sep 2017 10:07:55 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v8MA7tUl054346
 for <freebsd-pf@FreeBSD.org>; Fri, 22 Sep 2017 10:07:55 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-pf@FreeBSD.org
Subject: [Bug 222126] pf is not clearing expired states
Date: Fri, 22 Sep 2017 10:07:55 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.1-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: hlh@restart.be
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-222126-17777-M2NcNR7COv@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-222126-17777@https.bugs.freebsd.org/bugzilla/>
References: <bug-222126-17777@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 10:07:55 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222126

--- Comment #21 from hlh@restart.be ---
Here is my pf.conf:

#       $FreeBSD: src/etc/pf.conf,v 1.3 2006/01/27 17:16:20 mlaier Exp $
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.

# Macros: define common values, so they can be referenced and changed easil=
y.
#ext_if=3D"ext0"  # replace with actual external interface name i.e., dc0
#int_if=3D"int0"  # replace with actual internal interface name i.e., dc1
#internal_net=3D"10.1.1.1/8"
#external_addr=3D"192.168.1.1"

#--- RestartSoft ---
int_if=3D"awg0"
int_net=3D"192.168.24.0/24, 2001:41d0:8:bdbe:1::/80"
vdsl_if=3D"ng0"
tunnel_if=3D"gif0"
virtualbox_net=3D"192.168.22.0/24, 2001:41d0:8:bdbe:2::/80"
tignes=3D"5.135.182.190"
ftp_passive=3D"30000:31000"
smtp1=3D"24"
http1=3D"8080"
squid=3D"3128"
tcp_services=3D"{" "ftp" $ftp_passive $smtp1 $squid "nntp" "http" $http1 "h=
ttps"
"}"
bittorrent=3D"6881:6889"
donkey_tcp=3D"{ 4662 6346 6347 6667 6881 6882 7254 21776 }"
donkey_udp=3D"{ 4666 6346 6347 7254 21780 }"

meribel=3D"192.168.24.8"
platon=3D"192.168.24.192"
emule_tcp=3D"{ 4242 4661 4662 4881 }"
emule_udp=3D"{ 4246 4665 4672 }"

# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

#--- RestartSoft ---
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.=
0/8
}
table <internal_nets> const { $int_net, $virtualbox_net }
table <bad_hosts> persist

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#--- RestartSoft ---
set limit { states 30000, src-nodes 20000, frags 20000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

#--- RestartSoft ---
set block-policy drop
set debug urgent
set loginterface $vdsl_if
set state-policy if-bound=20

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
#scrub in all

#--- RestartSoft ---
scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

#--- RestartSoft ---
#- altq on $vdsl_if bandwidth 10Mb cbq queue { dflt, p2p_upload }
#- queue dflt       bandwidth 80% cbq(default)
#- queue p2p_upload bandwidth 20%

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net =
will
# get translated as coming from the address of $ext_if, a state is created =
for
# such packets, and incoming packets will be redirected to the internal
address.
#nat on $ext_if from $internal_net to any -> ($ext_if)

#--- RestartSoft ---
# Translate all internal networks
# Special case for ekiga (voip) on meribel
nat on $vdsl_if proto udp from $meribel   to any -> ($vdsl_if) static-port=
=20
nat on $vdsl_if inet from <internal_nets> to any -> ($vdsl_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 wi=
ll
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1=
.1
port 5678

# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
#--- RestartSoft ---
# Ekiga is running on meribel (192.168.24.8)
rdr on $vdsl_if proto udp from any to ($vdsl_if) port 5000:5100 -> $meribel
rdr on $vdsl_if proto tcp from any to ($vdsl_if) port 1720      -> $meribel

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
#pass  out on $ext_if proto { tcp, udp } all keep state

#--- RestartSoft ---
# Setup a default deny policy
block in  log all
block out log all

# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state

# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep st=
ate

# Alternate rule to pass incoming ports for ftp-proxy
# NOTE: Please see pf.conf(5) BUGS section before using user/group rules.
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

#--- RestartSoft ---
# Skip filtering on loopback interfaces
set skip on lo0

# Block Spoofed Packets
# antispool don't work for bridge
block in log quick from ($int_if) to any

# Block RFC1918 addresses on VDSL
block log quick on $vdsl_if from <rfc1918> to any

# Block bad hosts trying ssh or smtp
block log quick on $vdsl_if from <bad_hosts> to any

# Block networks known to use  Windows Metafile Vulnerability ---
# see http://isc.sans.org/diary.php?storyid=3D997
block log quick on $vdsl_if from {69.50.160.0/19, 85.255.112.0/20 } to any

# Allow traffic between physical internal networks (bridge0)
#- pass  in  quick on $int_if0 all no state
#- pass  out quick on $int_if0 all no state
#- pass  in  quick on $int_if1 all no state
#- pass  out quick on $int_if1 all no state

# Allow traffic with physical internal networks
pass      quick on $int_if  from ($int_if:network)  to ($int_if:network)   =
keep
state
pass  in  quick on $int_if  from ($int_if:network)  to ($vdsl_if)          =
keep
state
pass      quick on $int_if  proto ipencap

# Allow traffic with virtualbox internal network
pass  in  quick on $int_if  from {$virtualbox_net}  to ($int_if)           =
keep
state
pass  in  quick on $int_if  from {$virtualbox_net}  to ($vdsl_if)          =
keep
state
pass  out quick on $int_if  from ($int_if)          to {$virtualbox_net}   =
keep
state

# Allow physical internal networks to go to INTERNET - caveat quick keyword
#- pass  in  quick on $int_if  proto tcp from $platon  to any port $emule_t=
cp
keep state queue p2p_upload
#- pass  in  quick on $int_if  proto udp from $platon  to any port $emule_u=
dp
keep state queue p2p_upload
pass  in  quick on $int_if  from ($int_if:network)  to any                 =
keep
state

# Allow virtualbox internal network to go to INTERNET
pass  in  quick on $int_if  from {$virtualbox_net}  to any                 =
keep
state

# Allow all connections that I initiate to INTERNET
pass  out quick on $vdsl_if    proto { tcp, udp, icmp } all                =
keep
state

# Allow DNS and NTP (keep state take care of this)
#- pass  in  quick on $vdsl_if proto udp from any port domain to ($vdsl_if)
#- pass  in  quick on $vdsl_if proto udp from any port ntp    to ($vdsl_if)
port ntp

# Allow resolvers on INTERNET to use our DNS
#- pass  in  quick on $vdsl_if proto udp from any             to ($vdsl_if)
port domain

# Allow IPv4 PING from everywhere
pass      quick inet proto icmp all icmp-type echoreq keep state

# Allow NEEDFRAG from everywhere (see /usr/include/netinet/ip_icmp.h)
pass  in  quick inet proto icmp all icmp-type unreach code needfrag keep st=
ate

# Allow icmp6 from everywhere
pass  in  quick inet6 proto icmp6 all

# Reserved for test of mpd-4.3 with synproxy
pass  in  quick on $vdsl_if proto tcp from any to ($vdsl_if)          port =
8000
flags S/SA synproxy state

# Allow everyone on INTERNET to connect to the following services
#--- NOTE --- synproxy can't work on $vdsl_if managed by mpd4.2.2 / mpd4.3
pass  in  quick on $vdsl_if   proto tcp from any to ($vdsl_if)        port =
ssh=20
         flags S/SA keep state (source-track rule, max-src-conn-rate 1/30,
overload <bad_hosts> flush global)
pass  in  quick on $vdsl_if   proto tcp from any to ($vdsl_if)        port =
smtp
         flags S/SA keep state (source-track rule, max-src-conn-rate 15/10,
overload <bad_hosts> flush global)
pass  in  quick on $vdsl_if   proto tcp from any to ($vdsl_if)        port
$tcp_services flags S/SA keep state
# Services in IPv6 (no IPv4 routing in tunnel)
pass  in  quick on $tunnel_if proto tcp from any to any               port
$tcp_services flags S/SA keep state

# Allow BitTorrent traffic with INTERNET
pass  in  quick on $vdsl_if proto tcp from any to ($vdsl_if)  port $bittorr=
ent=20
flags S/SA keep state

# Allow Donkey traffic with INTERNET
pass  in  quick on $vdsl_if proto tcp from any to ($vdsl_if) port $donkey_t=
cp=20=20
flags S/SA keep state
pass  in  quick on $vdsl_if proto udp from any to ($vdsl_if) port $donkey_u=
dp=20=20
           keep state

# Allow ekiga traffic (on meribel - see rdr)
pass  in  quick on $vdsl_if proto udp from any to any        port 5000:5100=
=20=20=20=20
           keep state
pass  in  quick on $vdsl_if proto tcp from any to any        port 1720=20=
=20=20=20=20=20=20=20=20
           keep state
pass  out quick on $int_if  proto udp from any to any        port 5000:5100=
=20=20=20=20
           keep state
pass  out quick on $int_if  proto tcp from any to any        port 1720=20=
=20=20=20=20=20=20=20=20
           keep state

# Allow IPsec
pass  in  quick on $vdsl_if proto udp from any        to ($vdsl_if) port is=
akmp
    keep state
pass  out quick on $vdsl_if proto udp from ($vdsl_if) to any        port is=
akmp
    keep state
pass  in  quick on $vdsl_if proto udp from any        to ($vdsl_if) port 45=
00=20=20
    keep state
pass  in  quick on $vdsl_if proto ah  from any        to ($vdsl_if)
pass  out quick on $vdsl_if proto ah  from ($vdsl_if) to any
pass  in  quick on $vdsl_if proto esp from any        to ($vdsl_if)
pass  out quick on $vdsl_if proto esp from ($vdsl_if) to any

# Allow IPv6 with tignes - tunnelling without encryption
pass      quick on $vdsl_if   inet  proto ipv6
pass      quick on $tunnel_if inet6

# Allow IPv4 with tignes - tunnelling without encryption
pass  in  quick on $vdsl_if   proto ipencap from $tignes to ($vdsl_if)
pass  out quick on $vdsl_if   proto ipencap from ($vdsl_if) to $tignes
pass      quick on $tunnel_if inet

# Allow IPV6 with internal networks
pass      quick on $int_if inet6

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

--=20
You are receiving this mail because:
You are the assignee for the bug.=