Hallo,
we found our problem :). The ruleset now looks like the following on the
primary.
...
# DNS dns
pass in on $ext_if proto { TCP, UDP } from any to PRIMARY port 53 no state
pass in on $ext_if proto { TCP, UDP } from any to PRIMARY port > 1023 no
state
...
# DNS dns
pass out on $ext_if proto { TCP, UDP } from PRIMARY to any port 53 no state
pass out on $ext_if proto { TCP, UDP } from PRIMARY to any port > 1023 no
state
...
I completely forgot the "> 1023" for "no state" connections.
Many thanks for helping us!
Regards
SC)bastien Maerker
--
SC)bastien Maerker
Continum AG
Bismarckallee 7b-d
79098 Freiburg i. Br.
Tel. +49 761 217 111-77
Fax. +49 761 217 111-99
http://www.continum.net
Sitz der Gesellschaft: Freiburg im Breisgau
Registergericht: Amtsgericht Freiburg, HRB 6866
Vorstand: Rolf Mathis, Volker T. Mueller
Vorsitzender d. Aufsichtsrats: Prof. Dr. Karl-F. Fischbach
----- UrsprC<ngliche Mail -----
Von: "Sebastien Maerker, Continum" <[email protected]>
An: "Steven Chamberlain" <[email protected]>
CC: "Stuart Henderson" <[email protected]>, [email protected]
Gesendet: Freitag, 9. Dezember 2011 13:50:31
Betreff: Re: Problems with OpenBSD 5.0 and PF
Hello,
Thank you for your help but if we configured following ruleset for tcp/udp
port 53 on the primary, DNS isn't working anymore at all:
pass in on $ext_if inet proto tcp from any to PRIMARY port 53 no state
pass in on $ext_if inet proto udp from any to PRIMARY port 53 no state
pass out on $ext_if inet proto tcp from PRIMARY to any port 53 no state
pass out on $ext_if inet proto udp from PRIMARY to any port 53 no state
Please , can you help us to find the right ruleset?
Thank you
SC)bastien Maerker
--
SC)bastien Maerker
Continum AG
Bismarckallee 7b-d
79098 Freiburg i. Br.
Tel. +49 761 217 111-77
Fax. +49 761 217 111-99
http://www.continum.net
Sitz der Gesellschaft: Freiburg im Breisgau
Registergericht: Amtsgericht Freiburg, HRB 6866
Vorstand: Rolf Mathis, Volker T. Mueller
Vorsitzender d. Aufsichtsrats: Prof. Dr. Karl-F. Fischbach
----- UrsprC<ngliche Mail -----
Von: "Steven Chamberlain" <[email protected]>
An: "Sebastien Maerker, Continum" <[email protected]>
CC: "Stuart Henderson" <[email protected]>, [email protected]
Gesendet: Donnerstag, 8. Dezember 2011 16:30:56
Betreff: Re: Problems with OpenBSD 5.0 and PF
On 08/12/11 12:01, Sebastien Maerker, Continum wrote:
> Another idea from us is:
> Is it possible running a ruleset for port 53 udp/tcp and in/out completely
> stateless?
Hi,
I agree it seems strange to keep state for the 'stateless' DNS UDP
protocol. I would be concerned at how easily an attacker could exhaust
the state table by making many queries from randomised source ports and
potentially many IPs (a large botnet, or spoofed).
If -- worst case -- someone were able to saturate a 1Gbps link with
small DNS queries, say 96 bytes each with the Ethernet overheads
included, that's about 1.3m pps. With a 10 second expiry, a state table
of 2^24 = 16777216 entries would still cover it. It should still be
very fast, needing at most 24 matches to locate an entry, but I guess it
would require a lot of memory. (I also wonder if keeping state for IPv6
requires more memory still -- and limiting the max. number of states per
address would be impractical for IPv6).
I would always keep state for tcp. If you choose not to keep state for
udp queries:
pass in on $ext_if inet proto udp from any to PRIMARY port 53 no state
pass out on $ext_if inet proto udp from PRIMARY to any port 53 no state
Remember that any ICMP errors related to this traffic would be blocked
unless you go back to something like what you had before (I don't know
if your list of icmp-types is ideal, but probably covers the ones needed) :
pass in on $ext_if inet proto ICMP all icmp-type { 0, 3, 8, 11, 30 }
pass out on $ext_if inet proto ICMP all icmp-type { 0, 3, 8, 11, 30 }
Regards,
--
Steven Chamberlain
[email protected]
