List Info

Thread: pfctl -e and pfctl -d kills all connections
pfctl -e and pfctl -d kills all connections
user name
 2007-09-19 12:42:51 
Hello Guys,

Here are my full rules.

When I pfctl -e or pfctl -d all connections will die.

FreeBSD IM.WeArab.Net 7.0-CURRENT FreeBSD 7.0-CURRENT #0:
Tue Sep 18
10:06:42 CDT 2007     arabianIM.WeArab.Net:/usr/obj/usr/src/sys/IM
i386


ext_if="fxp0"
int_if="lo0"
tcp_services = "{ domain, www, 123, 3306 }"
udp_services = "{ domain, 123, 514 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12, 
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 
              240.0.0.0/4 }"
icmp_types = "8"
table <bruteforce> persist
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established
86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90
}
set timeout { udp.first 60, udp.single 30, udp.multiple 60
}
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30,
other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set skip on $int_if
set optimization normal
set block-policy drop
set require-order yes
set debug loud
set fingerprints "/etc/pf.os"
#scrub in all
#scrub in on $ext_if all fragment reassemble min-ttl 15
max-mss 1400
#scrub in on $ext_if all no-df
#scrub on $ext_if  all reassemble tcp
antispoof for $ext_if inet
antispoof for $int_if
block in log on $ext_if all
block in quick on $ext_if from any to 255.255.255.255
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block quick log from <bruteforce> to any
block quick from any to <bruteforce>
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type
$icmp_types
pass proto udp to any port $udp_services
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass in on $ext_if proto tcp from any to $ext_if port
$tcp_services 
        flags S/SA synproxy state 
        (max-src-conn 200, max-src-conn-rate 30/3, 
         overload <bruteforce> flush global)
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type
$icmp_types
pass proto udp to any port $udp_services
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass in on $ext_if proto tcp from any to $ext_if port
$tcp_services 
        flags S/SA synproxy state 
        (max-src-conn 200, max-src-conn-rate 30/3, 
         overload <bruteforce> flush global)
pass out proto tcp to any flags S/SA
pass out proto { udp, icmp } to any
pass out on $ext_if inet proto udp from any to any 
             port 33433 >< 33626
# End


Do you know the cause?

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: pfctl -e and pfctl -d kills all connections
country flaguser name
Germany		 2007-09-19 13:41:06 
ON WEDNESDAY 19 SEPTEMBER 2007, ABDULLAH IBN HAMAD AL-MARRI
WROTE:
> HELLO GUYS,
>
> HERE ARE MY FULL RULES.
>
> WHEN I PFCTL -E OR PFCTL -D ALL CONNECTIONS WILL DIE.

... "RULES WITH SYNPROXY STATE"

> DO YOU KNOW THE CAUSE?

SEE ABOVE.  USING "SYNPROXY STATE" CAUSES PF TO
COMPLETE THE 3WHS BEFORE 
CONTACTING THE OTHER ENDPOINT, HENCE IT HAS TO TRANSLATE ALL
FUTURE 
SEQUENCE NUMBERS FOR THIS CONNECTION.  IF YOU DISABLE PF,
THE TRANSLATION 
GOES AWAY AND THE CONNECTION DIES.  THE SAME THING HAPPENS
IF YOU 
USE "MODULATE STATE".

FOR THE "PFCTL -E" CASE:  THE PF IN CURRENT USES
"KEEP STATE FLAGS S/SA" 
BY DEFAULT FOR ANY TCP PASS RULE.  THAT MEANS THAT IT WILL
ONLY MATCH ON 
THE INITIAL SYN THAT STARTS THE CONNECTION.  THE REST OF THE
CONNECTION 
IS THEN PASSED BASED ON THE STATE ENTRY.  CONSEQUENTLY ANY
PRE-EXISTING 
CONNECTION WILL NOT HAVE A STATE ENTRY AND BE BLOCKED.

-- 
/"  BEST REGARDS,                      | MLAIERFREEBSD.ORG
 /  MAX LAIER                          | ICQ #67774661
 X   HTTP://PF4FREEBSD.LOVE2PARTY.NET/  | MLAIEREFNET
/   ASCII RIBBON CAMPAIGN              | AGAINST HTML MAIL
AND NEWS
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )