[CALUG] Vulnerability Scanner knocks down firewall

Mark Parsons mark.parsons at gmail.com
Mon Dec 12 21:16:40 CST 2005

> Is this new behavior on a previously well-behaving firewall?  Or did
> the behavior just start with the introduction of the scanner?

This is new behavior on a previously well-behaving firewall that has
been running for over a year with out any issues. The scanner has been
used as well for over a year and we have tested old and new versions
of the scanner and they all produce the same result.

> I think that you might be suffering from frag and/or state
> exhaustion, but it's impossible to tell without more information
> about your system and the PF status.  Stuff like a dmesg and the
> output of "pfctl -vsi" would help.  You'll probably have to do some
> creative tcpdump'g as well to see what is (and isn't) getting through
> on $int_if.

I will try the changes to the rules that you suggested tomorrow when I
get to the office. In the mean time here is the output of the pfctl
-vsi and dmesg:

/etc $ pfctl -vsi
Status: Enabled for 3 days 11:17:15           Debug: Urgent

Hostid:   0xa1a5ba2a
Checksum: 0xffd74a80de56cec8e4ae151a17188db7

Interface Stats for bge1              IPv4             IPv6
  Bytes In                        20118770                0
  Bytes Out                       29432922              352
  Packets In
    Passed                          482035                0
    Blocked                            126                0
  Packets Out
    Passed                          501258                0
    Blocked                            248                5

State Table                          Total             Rate
  current entries                      198
  searches                         4726260           15.8/s
  inserts                          1091825            3.6/s
  removals                         1091627            3.6/s
Source Tracking Table
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
  match                            3374384           11.3/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                            578671            1.9/s
  bad-timestamp                          0            0.0/s
  congestion                         14529            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

/etc $ dmesg
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
    deraadt at i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.06GHz ("GenuineIntel" 686-class) 3.06 GHz
real mem  = 4109975552 (4013648K)
avail mem = 3745009664 (3657236K)
using 4278 buffers containing 205602816 bytes (200784K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf0000
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x2000
pcibios0: PCI BIOS has 9 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks CSB5
SouthBridge" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x4000 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20-HE" rev 0x33
pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20-HE" rev 0x00
pci1 at pchb1 bus 3
pchb2 at pci0 dev 0 function 2 "ServerWorks CNB20-HE" rev 0x00
pci2 at pchb2 bus 1
vga1 at pci0 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
vendor "Compaq", unknown product 0xb203 (class system subclass
miscellaneous, rev 0x01) at pci0 dev 4 function 0 not configured
vendor "Compaq", unknown product 0xb204 (class system subclass
miscellaneous, rev 0x01) at pci0 dev 4 function 2 not configured
pcib0 at pci0 dev 15 function 0 "ServerWorks CSB5 SouthBridge" rev 0x93
pciide0 at pci0 dev 15 function 1 "ServerWorks CSB5 IDE" rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <COMPAQ, CD-ROM SN-124, N104> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4
pchb3 at pci0 dev 15 function 3 "ServerWorks CSB5 PCI" rev 0x00
pchb4 at pci0 dev 16 function 0 "ServerWorks CIOBX2" rev 0x05
pchb5 at pci0 dev 16 function 2 "ServerWorks CIOBX2" rev 0x05
pci3 at pchb5 bus 6
ppb0 at pci3 dev 1 function 0 "IBM 82351 PCI-PCI" rev 0x07
pci4 at ppb0 bus 7
cac0 at pci4 dev 0 function 0 "Compaq SMART2P RAID" rev 0x03: irq 7
Compaq Smart Array 3200
scsibus1 at cac0: 1 targets
sd0 at scsibus1 targ 0 lun 0: <Compaq, RAID1 volume #, > SCSI2 0/direct fixed
sd0: 69459MB, 17433 cyl, 255 head, 32 sec, 512 bytes/sec, 142253280 sec total
"Compaq PCI Hotplug" rev 0x14 at pci3 dev 30 function 0 not configured
pchb6 at pci0 dev 17 function 0 "ServerWorks CIOBX2" rev 0x05
pchb7 at pci0 dev 17 function 2 "ServerWorks CIOBX2" rev 0x05
pci5 at pchb7 bus 2
bge0 at pci5 dev 1 function 0 "Broadcom BCM5703X" rev 0x02, BCM5703 A2
(0x1002): irq 10 address 00:0b:cd:ee:91:dd
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci5 dev 2 function 0 "Broadcom BCM5703X" rev 0x02, BCM5703 A2
(0x1002): irq 11 address 00:0b:cd:ee:91:dc
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask e3ed netmask efed ttymask ffef
pctr: user-level cycle counter enabled
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02

Thanks again for your help. If I ever make it to a meeting I will be
sure and bring ya a six pack of a beverage of your choice.

More information about the lug mailing list