max-src-conn issue

Anton Yuzhaninov citrin at citrin.ru
Mon Apr 13 13:02:15 PDT 2009 

Hi All.

It seems to be, that max-src-conn is broken under FreeBSD, and not useful to limit incoming 
connections.

1. I have added 2 rules:

$ pfctl -s rule 

pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state 
(source-track rule, max-src-conn 3)
block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh

2. Open 3 ssh connections:

$ pfctl -s state 

all tcp 81.19.90.176:22 <- 81.19.90.156:47767       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47768       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47769       ESTABLISHED:ESTABLISHED

$ netstat -n -p tcp 

Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 81.19.90.176.22        81.19.90.156.47769     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.90.156.47768     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.90.156.47767     ESTABLISHED

3. When I tried to open one more connections packets matched by first rule was passed, bat 
state was not created.

$ pfctl -z

On remote host:
ssh 81.19.90.176

$ pfctl -v -s rule
pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state 
(source-track rule, max-src-conn 3)
   [ Evaluations: 752       Packets: 2         Bytes: 120         States: 3     ]
   [ Inserted: uid 0 pid 98818 ]
block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh
   [ Evaluations: 2         Packets: 2         Bytes: 128         States: 0     ]
   [ Inserted: uid 0 pid 98818 ]
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.90.156:47767       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47768       ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47769       ESTABLISHED:ESTABLISHED
$ netstat -np tcp
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
tcp4       0      0 81.19.90.176.22        81.19.90.156.48149     SYN_RCVD
tcp4       0      0 81.19.90.176.22        81.19.90.156.47769     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.90.156.47768     ESTABLISHED
tcp4       0      0 81.19.90.176.22        81.19.90.156.47767     ESTABLISHED

New state not created, but packets matched first rule is passed, while should be dropped.

Because of this new half-open connection is created (in SYN_RCVD state).

This makes max-src-conn not very useful under FreeBSD - bad guys can eat as many sockets as 
they want on attacked host, even when number of connections is limited by pf.

$ uname -psv 

FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr  8 05:31:05 MSD 2009 
citrin at citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC  amd64

I have tested same rules on OpenBSD 4.4 - they works as expected - when limit reached, packets 
matched by first rule dropped, and new state not created.

-- 
  Anton Yuzhaninov

More information about the freebsd-pf mailing list