[CALUG] Vulnerability Scanner knocks down firewall
Mark Parsons
mark.parsons at gmail.com
Mon Dec 12 21:16:40 CST 2005
> Is this new behavior on a previously well-behaving firewall? Or did
> the behavior just start with the introduction of the scanner?
This is new behavior on a previously well-behaving firewall that has
been running for over a year with out any issues. The scanner has been
used as well for over a year and we have tested old and new versions
of the scanner and they all produce the same result.
> I think that you might be suffering from frag and/or state
> exhaustion, but it's impossible to tell without more information
> about your system and the PF status. Stuff like a dmesg and the
> output of "pfctl -vsi" would help. You'll probably have to do some
> creative tcpdump'g as well to see what is (and isn't) getting through
> on $int_if.
I will try the changes to the rules that you suggested tomorrow when I
get to the office. In the mean time here is the output of the pfctl
-vsi and dmesg:
/etc $ pfctl -vsi
Status: Enabled for 3 days 11:17:15 Debug: Urgent
Hostid: 0xa1a5ba2a
Checksum: 0xffd74a80de56cec8e4ae151a17188db7
Interface Stats for bge1 IPv4 IPv6
Bytes In 20118770 0
Bytes Out 29432922 352
Packets In
Passed 482035 0
Blocked 126 0
Packets Out
Passed 501258 0
Blocked 248 5
State Table Total Rate
current entries 198
searches 4726260 15.8/s
inserts 1091825 3.6/s
removals 1091627 3.6/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 3374384 11.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 578671 1.9/s
bad-timestamp 0 0.0/s
congestion 14529 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
/etc $ dmesg
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
deraadt at i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.06GHz ("GenuineIntel" 686-class) 3.06 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem = 4109975552 (4013648K)
avail mem = 3745009664 (3657236K)
using 4278 buffers containing 205602816 bytes (200784K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf0000
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x2000
pcibios0: PCI BIOS has 9 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks CSB5
SouthBridge" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x4000 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20-HE" rev 0x33
pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20-HE" rev 0x00
pci1 at pchb1 bus 3
pchb2 at pci0 dev 0 function 2 "ServerWorks CNB20-HE" rev 0x00
pci2 at pchb2 bus 1
vga1 at pci0 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
vendor "Compaq", unknown product 0xb203 (class system subclass
miscellaneous, rev 0x01) at pci0 dev 4 function 0 not configured
vendor "Compaq", unknown product 0xb204 (class system subclass
miscellaneous, rev 0x01) at pci0 dev 4 function 2 not configured
pcib0 at pci0 dev 15 function 0 "ServerWorks CSB5 SouthBridge" rev 0x93
pciide0 at pci0 dev 15 function 1 "ServerWorks CSB5 IDE" rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <COMPAQ, CD-ROM SN-124, N104> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4
pchb3 at pci0 dev 15 function 3 "ServerWorks CSB5 PCI" rev 0x00
pchb4 at pci0 dev 16 function 0 "ServerWorks CIOBX2" rev 0x05
pchb5 at pci0 dev 16 function 2 "ServerWorks CIOBX2" rev 0x05
pci3 at pchb5 bus 6
ppb0 at pci3 dev 1 function 0 "IBM 82351 PCI-PCI" rev 0x07
pci4 at ppb0 bus 7
cac0 at pci4 dev 0 function 0 "Compaq SMART2P RAID" rev 0x03: irq 7
Compaq Smart Array 3200
scsibus1 at cac0: 1 targets
sd0 at scsibus1 targ 0 lun 0: <Compaq, RAID1 volume #, > SCSI2 0/direct fixed
sd0: 69459MB, 17433 cyl, 255 head, 32 sec, 512 bytes/sec, 142253280 sec total
"Compaq PCI Hotplug" rev 0x14 at pci3 dev 30 function 0 not configured
pchb6 at pci0 dev 17 function 0 "ServerWorks CIOBX2" rev 0x05
pchb7 at pci0 dev 17 function 2 "ServerWorks CIOBX2" rev 0x05
pci5 at pchb7 bus 2
bge0 at pci5 dev 1 function 0 "Broadcom BCM5703X" rev 0x02, BCM5703 A2
(0x1002): irq 10 address 00:0b:cd:ee:91:dd
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci5 dev 2 function 0 "Broadcom BCM5703X" rev 0x02, BCM5703 A2
(0x1002): irq 11 address 00:0b:cd:ee:91:dc
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask e3ed netmask efed ttymask ffef
pctr: user-level cycle counter enabled
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
Thanks again for your help. If I ever make it to a meeting I will be
sure and bring ya a six pack of a beverage of your choice.
More information about the lug
mailing list