Hugo Silva
2012-Dec-20 16:50 UTC
random_id_collisions; random_id and portrange_randomized; firewall
I am experiencing a situation in a 9.1-PRERELEASE virtual machine running an http load balancer (lots of short lived connections). While I don't observe any negative effects while browsing, I've noticed the following two things: net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 0 net.inet.ip.random_id_total: 2902 net.inet.ip.random_id_collisions: 72 net.inet.ip.random_id_period: 8192 net.inet.ip.random_id: 0 ^^ how can there be random_id_collisions if random_id is off? I turned portrange_randomized off too but it's still increasing. I thought it could be because I manually set random_id to on for awhile but that's not it either. It continues increasing after setting it back to 0, and continues to increase as long as there are connections coming in. Secondly and more worrying than that, there is a constant stream of 16:43:46.825519 rule 1..16777216/0(match): block in on xn0: webserver-1.80 > my-carp-addr.15960: Flags [S.], seq 543469675, ack 1259381687, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4146068434 ecr 49765522], length 0 16:43:46.831707 rule 1..16777216/0(match): block in on xn0: webserver-1.80 > my-carp-addr.15960: Flags [S.], seq 543469675, ack 1259381687, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4146068434 ecr 49768522], length 0 16:43:47.155584 rule 1..16777216/0(match): block in on xn0: webserver-1.80 > my-carp-addr.60985: Flags [S.], seq 967271907, ack 1313270384, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1569556969 ecr 49765852], length 0 16:43:47.161673 rule 1..16777216/0(match): block in on xn0: webserver-1.80 > my-carp-addr.60985: Flags [S.], seq 967271907, ack 1313270384, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1569556969 ecr 49768852], length 0 16:43:47.468145 rule 1..16777216/0(match): block in on xn0: webserver-2.80 > my-carp-addr.17258: Flags [S.], seq 2490904044, ack 1172967175, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1321031907 ecr 49766162], length 0 16:43:47.471658 rule 1..16777216/0(match): block in on xn0: webserver-2.80 > my-carp-addr.17258: Flags [S.], seq 2490904044, ack 1172967175, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1321031907 ecr 49769162], length 0 16:43:47.578134 rule 1..16777216/0(match): block in on xn0: webserver-2.80 > my-carp-addr.44721: Flags [S.], seq 1379777506, ack 2380193975, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1520285356 ecr 49748272], length 0 16:43:47.935585 rule 1..16777216/0(match): block in on xn0: webserver-1.80 > my-carp-addr.34197: Flags [S.], seq 3788206954, ack 1081350645, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2401687485 ecr 49748632], length 0 16:43:47.975592 rule 1..16777216/0(match): block in on xn0: webserver-1.80 > my-carp-addr.31105: Flags [S.], seq 1953359471, ack 752554584, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2473442173 ecr 49748672], length 0 16:43:48.098680 rule 1..16777216/0(match): block in on xn0: webserver-2.80 > my-carp-addr.15657: Flags [S.], seq 165305583, ack 173283101, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2824307788 ecr 49766792], length 0 16:43:48.408090 rule 1..16777216/0(match): block in on xn0: webserver-2.80 > my-carp-addr.45410: Flags [S.], seq 3840501222, ack 775257715, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1274761217 ecr 49749102], length 0 16:43:48.415524 rule 1..16777216/0(match): block in on xn0: webserver-3.80 > my-carp-addr.38523: Flags [S.], seq 680899031, ack 3769287099, win 32768, options [mss 1460,nop,wscale 3,nop,nop,TS val 19 ecr 49764112,sackOK,nop,nop], length 0 These appear to be packets from TCP connections that are being blocked by pf every time (rendering the log pretty much unusable; it is constant) At the same time, pf state-mismatch is not increasing (only now and then): state-mismatch 639 0.0/s My ruleset is quite simple: block drop quick inet6 all block drop log all block drop in on ! xn0 inet from $my_subnet to any block drop in inet from $myself to any block drop in quick on xn0 inet proto udp from any to any port = 1900 pass quick on xn0 proto carp all keep state pass out quick on xn0 inet proto udp from (xn0:0) to any port = ntp keep state (no-sync) pass out quick on xn0 inet proto udp from (xn0:0) to $nameserver port domain keep state (no-sync) pass out quick on xn0 inet proto tcp from (xn0:0) to any user = 0 flags S/SA keep state (no-sync) pass in quick on xn0 inet proto tcp from $vpn-range to (xn0:0) port ssh flags S/SA keep state (no-sync) pass in quick on xn0 inet proto tcp from $vpn-range to (xn0:0) port http flags S/SA keep state pass in quick on xn0 inet proto tcp from any to $my-carp-addr port http flags S/SA keep state pass in quick on xn0 inet proto icmp from $vpn-range to $my-carp-addr icmp-type echoreq keep state pass in quick on xn0 inet proto icmp from $vpn-range to (xn0:0) icmp-type echoreq keep state pass out quick on xn0 inet proto tcp from $my-carp-addr to (xn0:network) port = http flags S/SA keep state pass out quick on xn0 inet proto tcp from $my-carp-addr to <openfire_farm> port = 7070 flags S/SA keep state I don't understand what's causing the constant blocks in pf nor why net.inet.ip.random_id_collisions keeps increasing in spite of what was presented. Is it possible that this is a bug? Regards, Hugo