Date: Mon, 13 Apr 2009 23:40:55 +0400 From: Anton Yuzhaninov <citrin@citrin.ru> To: freebsd-pf@freebsd.org Subject: max-src-conn issue Message-ID: <49E39547.201@citrin.ru>
next in thread | raw e-mail | index | archive | help
Hi All. It seems to be, that max-src-conn is broken under FreeBSD, and not useful to limit incoming connections. 1. I have added 2 rules: $ pfctl -s rule pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh 2. Open 3 ssh connections: $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.90.156:47767 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47768 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47769 ESTABLISHED:ESTABLISHED $ netstat -n -p tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.90.156.47769 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47768 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47767 ESTABLISHED 3. When I tried to open one more connections packets matched by first rule was passed, bat state was not created. $ pfctl -z On remote host: ssh 81.19.90.176 $ pfctl -v -s rule pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 3) [ Evaluations: 752 Packets: 2 Bytes: 120 States: 3 ] [ Inserted: uid 0 pid 98818 ] block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh [ Evaluations: 2 Packets: 2 Bytes: 128 States: 0 ] [ Inserted: uid 0 pid 98818 ] $ pfctl -s state all tcp 81.19.90.176:22 <- 81.19.90.156:47767 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47768 ESTABLISHED:ESTABLISHED all tcp 81.19.90.176:22 <- 81.19.90.156:47769 ESTABLISHED:ESTABLISHED $ netstat -np tcp Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 81.19.90.176.22 81.19.90.156.48149 SYN_RCVD tcp4 0 0 81.19.90.176.22 81.19.90.156.47769 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47768 ESTABLISHED tcp4 0 0 81.19.90.176.22 81.19.90.156.47767 ESTABLISHED New state not created, but packets matched first rule is passed, while should be dropped. Because of this new half-open connection is created (in SYN_RCVD state). This makes max-src-conn not very useful under FreeBSD - bad guys can eat as many sockets as they want on attacked host, even when number of connections is limited by pf. $ uname -psv FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009 citrin@citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64 I have tested same rules on OpenBSD 4.4 - they works as expected - when limit reached, packets matched by first rule dropped, and new state not created. -- Anton Yuzhaninov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49E39547.201>