max-src-conn issue
Anton Yuzhaninov
citrin at citrin.ru
Mon Apr 13 13:02:15 PDT 2009
Hi All.
It seems to be, that max-src-conn is broken under FreeBSD, and not useful to limit incoming
connections.
1. I have added 2 rules:
$ pfctl -s rule
pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state
(source-track rule, max-src-conn 3)
block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh
2. Open 3 ssh connections:
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.90.156:47767 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47768 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47769 ESTABLISHED:ESTABLISHED
$ netstat -n -p tcp
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 81.19.90.176.22 81.19.90.156.47769 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.90.156.47768 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.90.156.47767 ESTABLISHED
3. When I tried to open one more connections packets matched by first rule was passed, bat
state was not created.
$ pfctl -z
On remote host:
ssh 81.19.90.176
$ pfctl -v -s rule
pass quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh flags S/SA keep state
(source-track rule, max-src-conn 3)
[ Evaluations: 752 Packets: 2 Bytes: 120 States: 3 ]
[ Inserted: uid 0 pid 98818 ]
block drop quick on re0 inet proto tcp from 81.19.90.0/23 to any port = ssh
[ Evaluations: 2 Packets: 2 Bytes: 128 States: 0 ]
[ Inserted: uid 0 pid 98818 ]
$ pfctl -s state
all tcp 81.19.90.176:22 <- 81.19.90.156:47767 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47768 ESTABLISHED:ESTABLISHED
all tcp 81.19.90.176:22 <- 81.19.90.156:47769 ESTABLISHED:ESTABLISHED
$ netstat -np tcp
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 81.19.90.176.22 81.19.90.156.48149 SYN_RCVD
tcp4 0 0 81.19.90.176.22 81.19.90.156.47769 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.90.156.47768 ESTABLISHED
tcp4 0 0 81.19.90.176.22 81.19.90.156.47767 ESTABLISHED
New state not created, but packets matched first rule is passed, while should be dropped.
Because of this new half-open connection is created (in SYN_RCVD state).
This makes max-src-conn not very useful under FreeBSD - bad guys can eat as many sockets as
they want on attacked host, even when number of connections is limited by pf.
$ uname -psv
FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009
citrin at citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64
I have tested same rules on OpenBSD 4.4 - they works as expected - when limit reached, packets
matched by first rule dropped, and new state not created.
--
Anton Yuzhaninov
More information about the freebsd-pf
mailing list