Hi all
I have a pair of OBSD 6.1 firewalls, on which some rules require source
tracking, i.e. have a max-src-conn or similar statement as in:
pass log quick on { em0 vlan1 } inet proto tcp from any to
<webservers> port { 80, 443 } modulate state ( max-src-conn 50,
max-src-conn-rate 25/5, overload <flooders> flush global )
This works perfectly, any hosts that surpass that limit get blocked.
But on the other hand, the Sources table (as seen with pfctl -s Sources)
keeps growing. With every allowed connection, there are two new entries.
And it seems that the Sources table expands in one direction only. I.e.
even long after the relative connection has been flushed from the state
table, there are still the entries in the Sources table.
No matter what happens, the Sources keep expanding until the src-nodes
hard limit is reached. At which point only a reboot will help.
I've tried to flush them with pfctl -F Sources, but without success:
wall0101 # pfctl -s Sources | wc -l
512
wall0101 # pfctl -F Sources
source tracking entries cleared
wall0101 # pfctl -s Sources | wc -l
514
Is there any reason (presumably in my ruleset, but didn't find it) that
would keep entries in the Sources table from being cleared?
Shouldn't the tracking entries be removed when the corresponding states
are flushed and shouldn't pfctl -F Sources clear the Sources table?
Thx /markus
