Hi all. I just recently starting using OpenBSD 4.4 since I wanted to
use "pf" for a firewall. I usually use FreeBSD, but had problems with
their implementation of relayd. Anyway...here's my problem. I'm
running 2 boxes, using CARP and pfsync for failover, and relayd for
load balancing incoming connections to multiple servers. It works
great. Now, I'm trying to get pf to limit the incoming connections
from any one source to no more then X simultaneous connections (with
the thought of on the X+1 connection, it gives a connection refused or
timeout or something). According to lots of stuff I've read, this
SHOULD work fine...but I've been struggling for 2 days now with it.
I've taken the 2nd firewall box out of the equation, so right now
here's what I have:
Internet
|
|
Firewall (pf & relayd)
(1.2.3.4, port 25 setup to load balance between 2 servers)
|
|
----------------------------------
| |
Server 1 Server 2
When I connect to 1.2.3.4 on port 25 the first time it connects me to
Server1, when I connect a second time from the same host, it connects
me to Server2 (as expected), now when I try a 3rd connection (which
shouldn't be allowed) telnet says it connects, and a packet capture
shows a full 3-way handshake, but the mail server never makes it past
sending it's SYN+ACK. My understanding from the pf.conf man page was
that given the config below, by using the max-src-conn option, it
would deny any more connections.
I'm pulling my hair out here with this...can someone please shed some
light on this for me? I'm new at pf...so my whole rule set may not
even "make sense" and be redundant in some cases, but I can't see what
would be causing this. It's almost as if the workstation making the
connection is handshaking with pf and/or relayd.
Thanks in advance. Any input would be greatly appreciated!
--Brian
My relayd.conf:
---start---
relayd_addr="1.2.3.4"
relayd_port="25"
relayd_int="fxp0"
table <mail_servers> {192.168.8.2,192.168.8.3}
mail_servers_port="25"
interval 20
timeout 5000
prefork 25
log updates
redirect mail_servers {
listen on $relayd_addr port $relayd_port interface $relayd_int
forward to <mail_servers> port $mail_servers_port mode
roundrobin check tcp
}
---end---
My pf.conf:
---start---
extif = "fxp0"
intif = "fxp1"
udp_services = "{domain,ntp}"
icmp_types = "{echoreq,echorep,unreach,trace}"
mail_servers = "{192.168.8.2,192.168.8.3}"
nat on fxp0 from $intif:network to any -> 1.2.3.4
rdr-anchor "relayd/*"
#deny all by default
block log all
antispoof for $extif
pass log on fxp1 inet proto tcp from any to $mail_servers port 25
pass log on fxp0 inet proto tcp from any to $mail_servers port 25 keep
state (max-src-conn 1)
pass log from 192.168.8.0/21 to any keep state
pass out log from $extif to any
pass log proto udp to any port $udp_services
pass in log proto tcp from any to $extif port ssh
pass in log from $intif:network to ($intif)
pass out log on $extif inet proto udp from any to any port 33433 ><
33626 keep state (no-sync)
pass log inet proto icmp all icmp-type $icmp_types keep state (no-sync)
---end---
--
_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_
Brian McCann
"I don't have to take this abuse from you -- I've got hundreds of
people waiting to abuse me."
-- Bill Murray, "Ghostbusters"
