amd64/182401: pf state for some IPs reaches 4294967295 suspicously

Oguz YILMAZ oguz at labristeknoloji.com
Thu Sep 26 08:40:00 UTC 2013 

>Number:         182401
>Category:       amd64
>Synopsis:       pf state for some IPs reaches 4294967295 suspicously
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 26 08:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Oguz YILMAZ
>Release:        10.0-ALPHA2
>Organization:
Labris Networks
>Environment:
FreeBSD myhost 10.0-ALPHA2 FreeBSD 10.0-ALPHA2 #2: Sat Sep 21 22:43:44 EEST 2013     root at compile:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
I have found one of my NMS monitoring point is blocked with my tested FreeBSD 10  Alpha 2 server.

After inspection, I have found it is blocked because of max-src-conn overload pf rule. However, It is not possible that host to open such high number of states.

When I inspected I have found several other clients are blocked with this router.

# pfctl -sS  | grep 4294967295
No ALTQ support in kernel
ALTQ related functions disabled
95.6.50.84 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
188.38.79.212 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
141.0.11.129 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
95.10.221.139 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
212.252.119.108 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
198.72.108.244 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
198.72.108.244 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
46.1.140.55 -> 0.0.0.0 ( states 4294967294, connections 4294967295, rate 0.0/3s )
81.214.44.73 -> 0.0.0.0 ( states 4294967295, connections 4294967295, rate 0.0/3s )
46.197.233.175 -> 0.0.0.0 ( states 4294967289, connections 4294967295, rate 0.0/3s )
78.177.41.73 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )
95.0.207.25 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s )

However, in real the host only has 5 states:

[root at myhost ~]# pfctl -ss  | grep 95.6.50.84
No ALTQ support in kernel
ALTQ related functions disabled
all tcp 95.6.50.84:3881 -> 94.102.10.229:80       ESTABLISHED:ESTABLISHED
all tcp 95.6.50.84:3759 -> 94.102.10.229:80       ESTABLISHED:ESTABLISHED
all tcp 95.6.50.84:3882 -> 94.102.10.229:80       ESTABLISHED:ESTABLISHED
all tcp 95.6.50.84:3849 -> 94.102.10.229:80       ESTABLISHED:ESTABLISHED
all tcp 95.6.50.84:3828 -> 94.102.10.229:80       ESTABLISHED:ESTABLISHED

>How-To-Repeat:
When I flush all states, in a few minutes several other 4294967295-states appears.
>Fix:
None.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-amd64 mailing list