[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PF related crash? (fwd)

On Fri, 21 Feb 2003, Glen MacAfee wrote:
> IPsExt = "xx.xx.xx.0/24"
First, please always filter out real address information on public
lists.  While we're all here to help, that doesn't stop folks who have
bad motives from getting this off the archives.
> # Part 2 -- Options
> #set limit { states 2000, frags 2000 }
> #set loginterface $IfExt
> # Will changing the line below from aggressive to normal help?
> set optimization aggressive
> #set timeout { tcp.opening 6, tcp.closing 6 }
> #set timeout tcp.closing 300, other.first 100
Ok, you've set aggressive timeouts with the "aggressive" option, but you
aren't limiting your states or frags.  Knowing you're only running 48MB
of RAM, it's not unreasonable to assume you're running out of memory. 
You need to determine how much free RAM you have (excluding PF states),
then limit states based on that amount.  The calculation is roughly 1k
states == 1MB RAM.
> # Part 4 -- Packet Filter Rules
> #External bridge interface rules -- allow all in, filter on internal
> # In bridge mode, we only filter on one interface.
> pass in quick on $IfExt all
> pass out quick on $IfExt all
Ok, you need to study the PF documentation (FAQ, manpages, howto, etc). 
PF is a "last rule matches" firewall.  HOWEVER, you've already put in
the "quick" option on your first 2 rules... pass in and pass out. 
You're letting EVERYTHING through your firewall.  You're effectively
running nothing but a bridge... all the rules that follow are ignored by
the match engine, thanks to those 2 quick rules.
> block in log on $IfInt all
And this is the last rule in your set.  Provided you had NO quick
options in all the preceding rules, you would have just blocked
EVERYTHING inbound from your internal network.  But even that's
irrelevant at this point... you're only supposed to filter in ONE
direction on a bridge.  *sigh*
Try the following ruleset.  Note that the $IPsExt needs to be defined,
and you'll probably want to redefine $fw_services (stuff allowed into
your firewall/bridge host), $udp_allowed (udp traffic allowed into your
internal hosts), and $tcp_allowed (tcp traffic allowed into your
internal hosts).  ALSO NOTE that $udp_allowed and $tcp_allowed are only
defined to allow incoming traffic initiated from the outside... stuff
you are running internal servers for, IOW.  You do NOT need to allow
UDP/DNS traffic explicitly just for your internal hosts' resolution...
that is allowed and tracked by the outgoing UDP state rule.
The "modulate state" option in the TCP section is only necessary if you
need to protect hosts with weak TCP implementations.  If you're running
primarily Linux 2.4 and OpenBSD hosts, you only need to "keep state". 
Otherwise, and particularly if you're running Windows hosts, go ahead
and use "modulate state".
Please take some time to study this ruleset and learn what and why it
does what it does.  Reference the manpages to clarify what an option
means.  And for the LOVE OF GOD, please unplug this box from the
internet ASAP until you get the ruleset fixed... you're running a
wide-open bridge.  :)
# Macros
# Change the following network address to suit your needs
# Define the following sample services
fw_services="{ ssh }"
udp_allowed="{ }"
tcp_allowed="{ http, smtp, https, ssh }"
# Stuff that shouldn't cross our network
bad_blocks="{,,,,,,,, }"
# Options
set limit { states 16000, frags 8000 }
set loginterface $IfExt
set optimization aggressive
# Packet Normalization
scrub in all
# Default block
block out log on $IfExt all
block in log on $IfExt all
block return-rst out log on $IfExt proto tcp all
block return-rst in log on $IfExt proto tcp all
block return-icmp out log on $IfExt proto udp all
block return-icmp in log on $IfExt proto udp all
# Block unwanted
block in quick on $IfExt from to any
block in quick on $IfExt from any to
block in quick on $IfExt from $bad_blocks to any
block in quick on $IfExt from any to $bad_blocks
# Allow certain icmp connections
pass out on $IfExt inet proto icmp all keep state
pass in on $IfExt inet proto icmp all icmp-type 8 code 0 keep state
# Allow certain udp connections
pass out on $IfExt proto udp all keep state
pass in on $IfExt proto udp from any to any port $udp_allowed keep state
# Allow certain tcp connections
pass out on $IfExt proto tcp all modulate state
pass in on $IfExt inet proto tcp from any to ($IfExt) port $fw_services
flags S/SA keep state
pass in on $IfExt proto tcp from any to any port $tcp_allowed flags S/SA
modulate state
> -----Original Message-----
> From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx]On Behalf Of
> Wouter Clarie
> Sent: Saturday, February 22, 2003 04:21
> To: pf@benzedrine.cx
> Subject: Re: PF related crash?
> On Fri, 21 Feb 2003, Glen MacAfee wrote:
> > I'm getting crashes whenever I put a heavy load on the fw/bridge that I
> have
> > setup.  I'm not sure if the issue is memory or otherwise--my guess is it's
> > PF-related; is there any way to be sure?
> > I'm running OBSD 3.2 on an NEC PowerMate V166e (Pentium 166) with 48MB
> RAM,
> > 2 Intel Pro/100 (S?) NICs.  Any suggestions?
> Yes: post dmesg, ruleset, crash trace & ps,... What you gave us now is not
> sufficient.