max-src-conn issue
Max Laier
max at love2party.net
Tue Apr 14 08:41:59 PDT 2009
Hello Anton,
On Monday 13 April 2009 21:40:55 Anton Yuzhaninov wrote:
> It seems to be, that max-src-conn is broken under FreeBSD, and not useful
> to limit incoming connections.
>...
> New state not created, but packets matched first rule is passed, while
> should be dropped.
>
> Because of this new half-open connection is created (in SYN_RCVD state).
>
> This makes max-src-conn not very useful under FreeBSD - bad guys can eat as
> many sockets as they want on attacked host, even when number of connections
> is limited by pf.
>
> $ uname -psv
>
> FreeBSD FreeBSD 8.0-CURRENT #0: Wed Apr 8 05:31:05 MSD 2009
> citrin at citrin.park.rambler.ru:/usr/obj/usr/src/sys/GENERIC amd64
>
> I have tested same rules on OpenBSD 4.4 - they works as expected - when
> limit reached, packets matched by first rule dropped, and new state not
> created.
This is indeed a problem in FreeBSD. A workaround solution is to use
"synproxy state" instead of a simple "keep state" - this way the connection
won't make it through to the final destination and is blocked at the firewall.
The fix is a bit intrusive, but I might get to it - could you submit a PR with
your analysis, please? Possibly add if the "synproxy state" workaround fixes
things for you.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list