Re: pf adaptive syncookie
‐‐‐ Original Message ‐‐‐ On Friday, December 18, 2020 6:13 PM, Stuart Henderson wrote: > And if it's anything like when I try it, you'll see some TCP connections > failing when it is active too. Not everything fails. but e.g. if I have > "set syncookies always" on a router, and run "ftp -o- > http://www.facebook.com/; > from a machine behind it, it fails every time (it appears to connect > immediately, but of course that's just syncookies - I never get a response > after making a request over it until I disblae syncookies again). > In that case where syncookies are active but things are failing I see > PROXY and SYN_SENT states in pfctl -ss e.g. > > all tcp 157.240.221.35:80 <- 82.68.199.130:16476 PROXY:DST > all tcp 82.68.199.130:16476 -> 157.240.221.35:80 SYN_SENT:CLOSED > > So I strongly recommend trying it with 'always' and see if things are > broken for you. Otherwise if you set 'adaptive' you may get an unpleasant > surprise sometime maybe much later when they do actually trigger. Thanks for the tip. I just tried it on my OpenSD 6.7 firewall at home and exactly as you say I can't connect to facebook.com anymore (same for instagram.com). This is really weird, do you have any idea why? Is it a bug in the implementation of syncookies in OpenBSD or facebook.com doing weird things with TCP?
Re: pf adaptive syncookie
On 2020-12-18, mabi wrote: > ‐‐‐ Original Message ‐‐‐ > On Friday, December 18, 2020 10:48 AM, Stuart Henderson > wrote: > >> It's something like "what % of max allowed states is half-open tcp". >> Watch out as there are some bugs in this area, definitely thewith >> accounting of half-open connections can be wildly off sometimes >> (triggering adaptive syncookies when they shouldn't really be triggered) >> and I think also with the behaviour when they're active, I have had >> it trigger spuriously and then a bunch of connections failing when >> triggered, so monitor it carefully if you enable this. > > Thank you for your precisions. > > This means that if I want to start using syncookies when I have over 40'000 > half-open tcp states and stop using it when it is back down to 30'000 > halt-open tcp states I would use the following pf.conf parameter: > > set syncookies adaptive (start 4%, end 3%) > > Note that my max allowed states is set to 1'000'000. > > I guess this is better even if somehow imprecise than having syncookies set > to "always"... > > What is the best way to monitor the usage of adaptive syncookies? In the > output of "pfctl -si" I don't see any relevant metric for syncookies. You'll see a rising count in pfctl -ss "synproxy" if they're active. And if it's anything like when I try it, you'll see some TCP connections failing when it is active too. Not everything fails. but e.g. if I have "set syncookies always" on a router, and run "ftp -o- http://www.facebook.com/; from a machine behind it, it fails every time (it appears to connect immediately, but of course that's just syncookies - I never get a response after making a request over it until I disblae syncookies again). In that case where syncookies are active but things are failing I see PROXY and SYN_SENT states in pfctl -ss e.g. all tcp 157.240.221.35:80 <- 82.68.199.130:16476 PROXY:DST all tcp 82.68.199.130:16476 -> 157.240.221.35:80 SYN_SENT:CLOSED So I strongly recommend trying it with 'always' and see if things are broken for you. Otherwise if you set 'adaptive' you may get an unpleasant surprise sometime maybe much later when they do actually trigger.
Re: pf adaptive syncookie
‐‐‐ Original Message ‐‐‐ On Friday, December 18, 2020 10:48 AM, Stuart Henderson wrote: > It's something like "what % of max allowed states is half-open tcp". > Watch out as there are some bugs in this area, definitely thewith > accounting of half-open connections can be wildly off sometimes > (triggering adaptive syncookies when they shouldn't really be triggered) > and I think also with the behaviour when they're active, I have had > it trigger spuriously and then a bunch of connections failing when > triggered, so monitor it carefully if you enable this. Thank you for your precisions. This means that if I want to start using syncookies when I have over 40'000 half-open tcp states and stop using it when it is back down to 30'000 halt-open tcp states I would use the following pf.conf parameter: set syncookies adaptive (start 4%, end 3%) Note that my max allowed states is set to 1'000'000. I guess this is better even if somehow imprecise than having syncookies set to "always"... What is the best way to monitor the usage of adaptive syncookies? In the output of "pfctl -si" I don't see any relevant metric for syncookies.
pf adaptive syncookie
Hi, I see quite some syn flood packets on my OpenBSD firewall filling up the state table for nothing. So I thought let's try the pf's adaptive syncookies. I am just not quite sure what the percentage used by start and stop relate to. In the pf.conf man page the following is written: "pf will enable syncookie mode when a given percentage of the state table is used up by half-open TCP connections..." That "given percentage" does it compare the "half-open tcp" value of the state table (as seen in "pfctl -si") with the amount of "current entries" in the state table? or does it compare it with the limit of maximum states I have defined in my pf.conf (value of "set limit states") ? Thank you in advance for any precisions. Regards, Mabi
Re: pf adaptive syncookie
On 2020-12-18, mabi wrote: > Hi, > > I see quite some syn flood packets on my OpenBSD firewall filling up the > state table for nothing. So I thought let's try the pf's adaptive syncookies. > I am just not quite sure what the percentage used by start and stop relate to. > > In the pf.conf man page the following is written: > > "pf will enable syncookie mode when a given percentage of the state table is > used up by half-open TCP connections..." > > That "given percentage" does it compare the "half-open tcp" value of the > state table (as seen in "pfctl -si") with the amount of "current entries" in > the state table? or does it compare it with the limit of maximum states I > have defined in my pf.conf (value of "set limit states") ? > > Thank you in advance for any precisions. > > Regards, > Mabi > > It's something like "what % of max allowed states is half-open tcp". Watch out as there are some bugs in this area, definitely thewith accounting of half-open connections can be wildly off sometimes (triggering adaptive syncookies when they shouldn't really be triggered) and I think also with the behaviour when they're active, I have had it trigger spuriously and then a bunch of connections failing when triggered, so monitor it carefully if you enable this.
