RE: [rofug] PF scrubbing nu functioneaza?

Dragos Wed, 17 May 2006 09:34:57 -0700

======================================================
Acest e-mail e un r?spuns la e-mailul "[rofug] PF scrubbing nu functioneaza?" 
primit  Wednesday, May 17, 2006, 7:00:21 PM:


Vlad GALU> On 5/17/06, Dragos <[EMAIL PROTECTED]> wrote:
>>    Salut Vlad ([EMAIL PROTECTED]),

>> ================================================================================
>> Acest e-mail e un raspuns la e-mailul "[rofug] PF scrubbing nu 
>> functioneaza?" primit  Wednesday, May 17, 2006, 6:36:51 PM:

>> Vlad GALU> On 5/17/06, Dragos <[EMAIL PROTECTED]> wrote:
>> Vlad GALU> [...]

>> Vlad GALU>     Vad ca TTL-ul ti-l mareste corect la 128. Uita-te cu pfctl 
>> -sr -v
>> Vlad GALU> sa vezi cite matches ai pe fiecare regula de scrub.
>> ================================================================================

>> scrub on rl0 all min-ttl 128 max-mss 1400 fragment reassemble
>>   [ Evaluations: 683742    Packets: 119337    Bytes: 0           States: 0   
>>   ]
>> scrub on rl1 all min-ttl 128 max-mss 1400 fragment reassemble
>>   [ Evaluations: 564405    Packets: 45880     Bytes: 0           States: 0   
>>   ]
>> scrub on rl2 all min-ttl 128 max-mss 1400 fragment reassemble
>>   [ Evaluations: 518525    Packets: 21941     Bytes: 0           States: 0   
>>   ]
>> scrub on rl0 all no-df fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl1 all no-df fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl2 all no-df fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl0 all fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl1 all fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl2 all fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl0 all random-id fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl1 all random-id fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl2 all random-id fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub out on rl2 all random-id fragment reassemble
>>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl0 all reassemble tcp fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl1 all reassemble tcp fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]
>> scrub on rl2 all reassemble tcp fragment reassemble
>>   [ Evaluations: 496584    Packets: 0         Bytes: 0           States: 0   
>>   ]

>>   Intradevar, nu stiu de ce nu m-am gandit sa verific asa. Se pare ca pf-ul 
>> vrea sa aiba toate optiunile intr-o singura linie, ceea ce arata cam ciudat.
>> pfctl -sr -v | grep -v pass|grep -v block
>> scrub on rl0 all no-df random-id min-ttl 128 max-mss 1400 reassemble tcp 
>> fragment reassemble
>>   [ Evaluations: 91373     Packets: 41319     Bytes: 0           States: 0   
>>   ]
>> scrub on rl1 all no-df random-id min-ttl 128 max-mss 1400 reassemble tcp 
>> fragment reassemble
>>   [ Evaluations: 50054     Packets: 19994     Bytes: 0           States: 0   
>>   ]
>> scrub on rl2 all no-df random-id min-ttl 128 max-mss 1400 reassemble tcp 
>> fragment reassemble
>>   [ Evaluations: 30060     Packets: 16840     Bytes: 0           States: 0   
>>   ]

>>   Pare sa fie mai ok acum, cu toate ca datorita numarului mare de sesiuni 
>> imi e mai greu sa urmaresc id-ul.


Vlad GALU>      Foloseste un filtru mai specific in tcpdump - e.g. src host XXX
Vlad GALU> and dst host YYY.

pare destul de random:

19:07:41.995404 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 183: IP (tos 0x0, ttl 128, id 7582, offset 0, flags [none], length: 169) 
1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 141
19:07:42.174917 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 135: IP (tos 0x0, ttl 128, id 34003, offset 0, flags [none], length: 
121) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 93
19:07:43.337136 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 26609, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:07:44.854686 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 61606, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:07:46.337114 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 64305, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:07:47.837071 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 58211, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:07:48.922853 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 54555, offset 0, flags [none], length: 81) 
1.2.3.4.63921 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:07:52.149567 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 32789, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:07:52.210482 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 54129, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:07:52.275350 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 135: IP (tos 0x0, ttl 128, id 7739, offset 0, flags [none], length: 121) 
1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 93
19:07:52.351135 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 135: IP (tos 0x0, ttl 128, id 6008, offset 0, flags [none], length: 121) 
1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 93
19:07:59.582387 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 19551, offset 0, flags [none], length: 81) 
1.2.3.4.63921 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:02.527549 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 37245, offset 0, flags [none], length: 81) 
1.2.3.4.57310 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:09.190407 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 3860, offset 0, flags [none], length: 81) 
1.2.3.4.63921 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:11.856336 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 53046, offset 0, flags [none], length: 81) 
1.2.3.4.57310 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:20.037669 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 20793, offset 0, flags [none], length: 81) 
1.2.3.4.63921 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:22.209991 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 60420, offset 0, flags [none], length: 81) 
1.2.3.4.57310 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:30.069854 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 8196, offset 0, flags [none], length: 81) 
1.2.3.4.63921 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:32.828175 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 10359, offset 0, flags [none], length: 81) 
1.2.3.4.57310 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:40.076720 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 95: IP (tos 0x0, ttl 128, id 54832, offset 0, flags [none], length: 81) 
1.2.3.4.63921 > 4.3.2.1.1190: [udp sum ok] UDP, length: 53
19:08:40.355380 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 48460, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:08:40.368134 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 13354, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:08:41.837101 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 47119, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133
19:08:41.848399 aa:bb:cc:dd:ee:ff > ff:ee:dd:cc:bb:aa, ethertype IPv4 (0x0800), 
length 175: IP (tos 0x0, ttl 128, id 34103, offset 0, flags [none], length: 
161) 1.2.3.4.57310 > 4.3.2.1.1190: UDP, length: 133


=====================================================


Numai bine,
Dragos


________________________________________________________
To unsubscribe send a mail to [EMAIL PROTECTED]

RE: [rofug] PF scrubbing nu functioneaza?

Raspunde prin e-mail lui