Hello I have been having a problem trying to use the stateful tracking option "override <TABLE> flush" in OpenBSD 4.7-stable. My system is a i386 GENERIC system, running as a vmware guest under Windows XP.
Consider the following ruleset: set skip on lo block drop all block drop quick from <BLACKLIST> to any pass out on egress inet all pass in inet proto tcp from any to (self) port ssh keep state \ (max 20, max-src-conn-rate 2/20, overload <BLACKLIST> flush) My understanding of the pf.conf(5) manual is that if the connection rate is exceeded, the offending source host will be added to the <BLACKLIST> table, and all states created by the matching rule which originate from the offending host will be killed. I tested the ruleset by ssh'ing from the vmware host into the vmware guest (openbsd 4.7). After the 2nd ssh session is logged in, the OpenBSD system will not accept anymore connections (expected behaviour), but the first two sessions remain operational, in other words, the states have not been killed. I've appended the output of "pfctl -ss -vv". The problem I'm seeing is that while IP addresses are in fact added to <BLACKLIST> when the connection rate is exceeded, the flush command has no effect. I tried "flush global" as well, but that made no difference. I also tried "synproxy state" and "modulate state" to no avail. Would someone know if I there is an error in my understanding, in my ruleset, or is this a problem? By the way, I also tried the same ruleset on each stable distribution back to 4.2. I get the behaviour described in the manual on 4.2 and 4.3, but from 4.4 onwards the flush does not seem to have any effect. Kind regards Robert Mills ------------------------------------------- FILTER RULES: @0 block drop all [ Evaluations: 9 Packets: 4 Bytes: 192 States: 0 ] [ Inserted: uid 0 pid 12362 State Creations: 0 ] @1 block drop quick from <BLACKLIST:1> to any [ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12362 State Creations: 0 ] @2 pass out on egress inet all flags S/SA keep state [ Evaluations: 9 Packets: 4 Bytes: 470 States: 0 ] [ Inserted: uid 0 pid 12362 State Creations: 2 ] @3 pass in inet proto tcp from any to (self:2) port = ssh flags S/SA keep state (max 20, source-track rule, max-src-conn-rate 2/20, overload <BLACKLIST> flush, adaptive.start 12, adaptive.end 24, src.track 20) [ Evaluations: 9 Packets: 98 Bytes: 14516 States: 2 ] [ Inserted: uid 0 pid 12362 State Creations: 3 ] No queue in use STATES: all tcp 192.168.9.133:22 <- 192.168.9.1:1184 ESTABLISHED:ESTABLISHED [4060316721 + 65535] [419322259 + 17520] age 00:00:50, expires in 23:59:11, 21:27 pkts, 2933:4301 bytes, rule 3, source-track id: 4c6def3e00000061 creatorid: d3c137f4 all tcp 192.168.9.133:22 <- 192.168.9.1:1189 ESTABLISHED:ESTABLISHED [1683884458 + 65535] [4062748640 + 17520] age 00:00:48, expires in 23:59:13, 21:27 pkts, 2933:4253 bytes, rule 3, source-track id: 4c6def3e00000063 creatorid: d3c137f4 SOURCE TRACKING NODES: 192.168.9.1 ( states 2, connections 2, rate 0.0/20s ) age 00:00:50, 98 pkts, 14516 bytes, rule 3 INFO: Status: Enabled for 0 days 00:00:53 Debug: err Hostid: 0xd3c137f4 Checksum: 0xace54961a7d232676d422b5a8cf754c7 State Table Total Rate current entries 2 searches 529 10.0/s inserts 102 1.9/s removals 100 1.9/s Source Tracking Table current entries 1 searches 3 0.1/s inserts 1 0.0/s removals 0 0.0/s Counters match 108 2.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 1 0.0/s synproxy 0 0.0/s Limit Counters max states per rule 0 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 1 0.0/s overload table insertion 1 0.0/s overload flush states 1 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: --a-r-- BLACKLIST Addresses: 1 Cleared: Fri Aug 20 14:07:29 2010 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 9 Match: 0 ] In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] OS FINGERPRINTS: 696 fingerprints loaded