pflog and reason

mike tancsa mike at sentex.net
Fri Mar 12 14:13:14 UTC 2021 

On 3/12/2021 12:25 AM, Max wrote:
> You can use overload option.
> "With the overload <table> state option, source IP addresses which hit
> either of the limits on established connections will be added to the
> named table."
>
> pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep
> state \
>    (max-src-conn-rate 15/86400, overload <rdp-bruteforce> flush global)
>
Thanks, this might give me the answer in a round about way!  But I am
curious as to when the I would actually see reason src-limit. According
to the RELENG_12 man pages,

reason match     Reason equals match.  Also accepts "bad-offset", "frag-
		      ment", "bad-timestamp", "short", "normalize", "memory",
		      "congestion", "ip-option", "proto-cksum",	"state-mis-
		      match", "state-insert", "state-limit", "src-limit", and
		      "synproxy".


but I never see state or src limit as a reason. The reason is always a
match.

    ---Mike


> # pfctl -t rdp-bruteforce -vTs
>    222.214.161.232
>         Cleared:     Thu Mar  4 08:09:50 2021
>
> According to
> https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7
>        reason code
>           True if the packet was logged with the specified PF reason
> code.
>           The known    codes are: match, bad-offset, fragment, short,
> normal-
>           ize,  and    memory (applies    only to    packets logged by
> OpenBSD's or
>           FreeBSD's    pf(4)).
>
> 11.03.2021 22:17, mike tancsa пишет:
>> I am trying to track down the IPs that are hitting my src limits, but I
>> dont seem them logged. According to
>>
>> https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8
>>
>> I should be able to see the reason something got blocked
>>
>> e.g. if I have something like
>>
>>
>> pass in log on $outside_nic proto tcp from any to $http_server port 80
>> keep state (max 25 max-src-conn-rate 2/60)
>>
>> How would I find the IP that is tripping up the max state rule or
>> max-src-conn-rate ?
>>
>> Looking at
>>
>> pfctl -sinfo -v
>>
>> Limit Counters
>>    max states per rule               293319            0.2/s
>>    max-src-states                         0            0.0/s
>>    max-src-nodes                          0            0.0/s
>>    max-src-conn                           0            0.0/s
>>    max-src-conn-rate                  10273            0.0/s
>>    overload table insertion               0            0.0/s
>>    overload flush states                  0            0.0/s
>>
>> The counters are increasing, but I never see it in pflog
>>
>> tcpdump -tttt -nei pflog0 -s0 reason state-limit or reason src-limit
>>
>>      ---Mike
>>
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list