Hi,
Sources is a table, so you need to use the Table commands to flush it.
pfctl -t Sources -T flush
To give you an idea...
I have a "blocklist" that I am keeping updated hourly from
http://lists.blocklist.de/
I've found the maximum number of hosts on my system in a table is
somewhere between 450,000 and 500,000 entries. I load it up with the
450,000 most recent "bad hosts" from the above website.
Are you really getting that many flooders to your website?
Have you increased the maximum size of your tables in the pf.conf?
I have:
# For the blocklist table
set limit table-entries 500000
I also have a cron job that dumps my overloaded list hourly.
0 * * * * /var/spamd/bad-hosts/dump_bad-hosts >
/dev/null 2>&1
Then in my pf.conf, I have:
# ssh clients trying too fast
# See the pass rule below for populating this table.
table <bad-hosts> persist file "/var/spamd/bad-hosts/bad-hosts.txt"
block quick log on egress from <bad-hosts>
This way, when my system reboots, pf is immediately updated with the
"bad-hosts"...
My tiny shell script hacked together @ 2:00 am:
#!/bin/sh
pfctl -t bad-hosts -T show > /tmp/bad.$$
if [ $? -eq 0 ]; then
cp /tmp/bad.$$ /var/spamd/bad-hosts/bad-hosts.txt
rm -f /tmp/bad.$$
exit 0
fi
rm -f /tmp/bad.$$
exit 1
Cheers,
Steve
On 01/08/2017 9:34 AM, Markus Wernig wrote:
Hi all
I have a pair of OBSD 6.1 firewalls, on which some rules require source
tracking, i.e. have a max-src-conn or similar statement as in:
pass log quick on { em0 vlan1 } inet proto tcp from any to
<webservers> port { 80, 443 } modulate state ( max-src-conn 50,
max-src-conn-rate 25/5, overload <flooders> flush global )
This works perfectly, any hosts that surpass that limit get blocked.
But on the other hand, the Sources table (as seen with pfctl -s Sources)
keeps growing. With every allowed connection, there are two new entries.
And it seems that the Sources table expands in one direction only. I.e.
even long after the relative connection has been flushed from the state
table, there are still the entries in the Sources table.
No matter what happens, the Sources keep expanding until the src-nodes
hard limit is reached. At which point only a reboot will help.
I've tried to flush them with pfctl -F Sources, but without success:
wall0101 # pfctl -s Sources | wc -l
512
wall0101 # pfctl -F Sources
source tracking entries cleared
wall0101 # pfctl -s Sources | wc -l
514
Is there any reason (presumably in my ruleset, but didn't find it) that
would keep entries in the Sources table from being cleared?
Shouldn't the tracking entries be removed when the corresponding states
are flushed and shouldn't pfctl -F Sources clear the Sources table?
Thx /markus
