Problem with stateful tracking option "override flush" Robert Mills Fri, 27 Aug 2010 19:44:53 -0700 Hello I have been having a problem trying to use the stateful tracking option "override <TABLE> flush" in OpenBSD 4.7. My system is a i386 GENERIC system, running as a vmware guest under Windows XP (dmesg output below) For the purpose of this posting I'm using the following ruleset: set skip on lo block drop all block drop quick from <BLACKLIST> to any pass out on egress inet all pass in inet proto tcp from any to (self) port ssh keep state \ (max 20, max-src-conn-rate 2/20, overload <BLACKLIST> flush) My understanding of the pf.conf(5) manual is that if the connection rate is exceeded, the offending source host will be added to the <BLACKLIST> table, and all states created by the matching rule which originate from the offending host will be killed. I tested the ruleset by ssh'ing from the vmware host into the vmware guest (openbsd 4.7). After the 2nd ssh session is logged in, the OpenBSD system will not accept anymore connections (expected behaviour), but the first two sessions remain operational, in other words, the states have not been killed. The problem I'm seeing is that while IP addresses are added to <BLACKLIST> when the connection rate is exceeded, the flush command has no effect. I tried "flush global" as well, but that made no difference. I also tried "synproxy state" and "modulate state" to no avail. Would someone know if I there is an error in my understanding, in my ruleset, or is this a problem? By the way, I also tried the same ruleset on each stable distribution back to 4.2. I get the behaviour described in the manual on 4.2 and 4.3, but from 4.4 onwards the flush does not seem to have any effect. Finally an apology. I previously posted this on p...@benzedrine.cx a week ago, but haven't had any replies, hence the posting to misc. Kind regards Robert ------------------------------------------- OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 real mem = 804810752 (767MB) avail mem = 771084288 (735MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/15/08, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe4010 (45 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 08/15/2008 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: tables DSDT FACP BOOT APIC acpi0: wakeup devices PCI0(S3) USB_(S1) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 65MHz ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpibat0 at acpi0: BAT1 not present acpibat1 at acpi0: BAT2 not present acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: SLPB bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe4000/0x4000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive> wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors wd1 at pciide0 channel 0 drive 1: <VMware Virtual IDE Hard Drive> wd1: 64-sector PIO, LBA, 8192MB, 16777216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x00: apic 1 int 19 (irq 9) piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 16 function 0 "Intel PRO/1000MT (82545EM)" rev 0x01: apic 1 int 17 (irq 11), address 00:0c:29:68:ad:ef eap0 at pci0 dev 17 function 0 "Ensoniq AudioPCI97" rev 0x02: apic 1 int 18 (irq 10) ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3) audio0 at eap0 midi0 at eap0: <AudioPCI MIDI UART> ehci0 at pci0 dev 18 function 0 "VMware Virtual EHCI" rev 0x00: apic 1 int 19 (irq 9) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "VMware EHCI root hub" rev 2.00/1.00 addr 1 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: <PC speaker> spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b Previous message View by thread View by date Next message Reply via email to Search the site The Mail Archive home misc - all messages misc - about the list Expand Previous message Next message The Mail Archive home Add your mailing list FAQ Support Privacy 698790.5179.qm@web39604.mail.mud.yahoo.com

[Robert Mills]

Hello

I have been having a problem trying to use the stateful tracking
option
"override <TABLE> flush" in OpenBSD 4.7. My system is
a i386 GENERIC system,
running as a vmware guest under Windows XP
(dmesg output below)

For the
purpose of this posting I'm using the following ruleset:

  set skip on lo
block drop all
  block drop quick from <BLACKLIST> to any
  pass out on egress
inet all
  pass in inet proto tcp from any to (self) port ssh keep state \
(max 20, max-src-conn-rate 2/20, overload <BLACKLIST> flush)

My understanding
of the pf.conf(5) manual is that if the connection
rate is exceeded, the
offending source host will be added to
the <BLACKLIST> table, and all states
created by the matching rule
which originate from the offending host will be
killed.

I tested the ruleset by ssh'ing from the vmware host into the vmware
guest (openbsd 4.7). After the 2nd ssh session is logged in, the
OpenBSD
system will not accept anymore connections (expected
behaviour), but the first
two sessions remain operational, in other
words, the states have not been
killed.

The problem I'm seeing is that while IP addresses are added
to
<BLACKLIST> when the connection rate is exceeded, the flush
command has no
effect. I tried "flush global" as well, but that made
no difference. I also
tried "synproxy state" and "modulate state"
to no avail.

Would someone know
if I there is an error in my understanding, in my
ruleset, or is this a
problem?

By the way, I also tried the same ruleset on each stable
distribution
back to 4.2.  I get the behaviour described in the manual on 4.2
and
4.3, but from 4.4 onwards the flush does not seem to have any effect.
Finally an apology. I previously posted this on p...@benzedrine.cx
a week ago,
but haven't had any replies, hence the posting to misc.

Kind regards
Robert
-------------------------------------------

OpenBSD 4.7 (GENERIC) #558: Wed
Mar 17 20:46:15 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R)
Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3
real mem  = 804810752 (767MB)
avail mem =
771084288 (735MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date
08/15/08, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe4010 (45 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 08/15/2008
bios0:
VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: tables DSDT
FACP BOOT APIC
acpi0: wakeup devices PCI0(S3) USB_(S1) SLPB(S4)
acpitimer0 at
acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 65MHz
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
acpiprt0 at
acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpibat0 at acpi0: BAT1 not present
acpibat1 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpibtn0
at acpi0: SLPB
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xdc000/0x4000!
0xe4000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at
pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function
0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7
function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1
"Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility,
channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
<VMware Virtual IDE Hard Drive>
wd0: 64-sector PIO, LBA, 8192MB, 16777216
sectors
wd1 at pciide0 channel 0 drive 1: <VMware Virtual IDE Hard Drive>
wd1:
64-sector PIO, LBA, 8192MB, 16777216 sectors
wd0(pciide0:0:0): using PIO mode
4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0
at scsibus0 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0
dev 7 function 2 "Intel 82371AB USB" rev 0x00: apic 1 int 19 (irq 9)
piixpm0
at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled
vga1
at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1
mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25,
vt100 emulation)
em0 at pci0 dev 16 function 0 "Intel PRO/1000MT (82545EM)"
rev 0x01: apic 1 int 17 (irq 11), address 00:0c:29:68:ad:ef
eap0 at pci0 dev
17 function 0 "Ensoniq AudioPCI97" rev 0x02: apic 1 int 18 (irq 10)
ac97:
codec id 0x43525913 (Cirrus Logic CS4297A rev 3)
audio0 at eap0
midi0 at eap0:
<AudioPCI MIDI UART>
ehci0 at pci0 dev 18 function 0 "VMware Virtual EHCI" rev
0x00: apic 1 int 19 (irq 9)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0
"VMware EHCI root hub" rev 2.00/1.00 addr 1
isa0 at piixpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port
0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at
pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console
keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for
aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: <PC
speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port
0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6
drq 2
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev
1.00/1.00 addr 1
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus1 at
vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b