PF causing crash and reboot in kernel

B

BernardoCR

Hello,

I have this pf.conf configuration for PF and sometimes (it doesn't happen everytime, but after 2 or 3 times when I type the command, pfctl -f /etc/pf.conf causes kernel crash and system reboot.

I don't know if I have something wrong in the configuration (specially on its order), and I would really appreciate your help.

This is my pf.conf:

Code: 
# INTERFACES
externa  = "em1"
externa1 = "em0"
loopback = "lo0"

# DAEMONS
40_226 = "{ 21, 22, 25, 80, 443, 1935, 2000:4000, 3306, 5080, 5512, 6667:6669, 7004, 8001, 9999, 15000 }"
40_227 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_228 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_229 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_230 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_231 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_232 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_233 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_234 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_235 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_236 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_237 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_238 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_239 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_240 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_241 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_242 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_243 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_244 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_245 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_246 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_247 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_248 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_249 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_250 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_251 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_252 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_253 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
40_254 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
37_10 = "{ 22, 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999, 30000, 30399, 30999 }"
37_11 = "{ 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
37_12 = "{ 25, 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
37_13 = "{ 80, 443, 587, 1935, 5080, 6667:6669, 7004, 8001, 9999 }"
37_14 = "{ 21, 22, 25, 80, 443, 587, 1935, 2000:4000, 2695, 3306, 5512, 5080, 6601:6609, 6667:6669, 7004, 8001, 9999, 15000 }"


#########################################################################
# CONFIGURACOES                                                        ##
#########################################################################
# TEMPOS LIMITES                                                       ##
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }

# LIMITES                                                              ##
set limit { frags 10000, states 50000, tables 5000, table-entries 1000000 }
# REGISTROS                                                            ##
set loginterface none
# OPTIMIZACAO                                                          ##
set optimization aggressive
set ruleset-optimization basic
# POLITICA                                                             ##
set block-policy drop
# REQUER ORDEM DAS REGRAS                                              ##
set require-order yes
# EXCLUI LOOPBACK DE TODAS AS REGRAS                                   ##
set skip on $loopback
# REMONTA FRAGMENTOS E RESOLVE/REDUZ TRAFEGO AMBIGUO                   ##
scrub in all
antispoof quick for $externa inet

table <sshbf> persist
table <vlwc> persist
table <www> persist
table <dns> persist
table <except> persist file "/etc/except"

block drop in quick on $externa proto { icmp } from any to any

# LIBERAR TUDO
#pass in quick all
pass out quick all
pass in quick on $externa1

# BLOQUEAR TUDO (EXCE..ES ABAIXO)
block in all
#block out all

# Liberar except table
pass in quick on $externa proto { tcp,udp,icmp } from <except> to any synproxy state

# imap.gmail.com
pass in quick on $externa inet proto { tcp,udp,icmp } from imap.gmail.com to any synproxy state

# ACESSO A TUDO (BERNARDO)
pass in quick on $externa inet proto { tcp,udp,icmp } from 192.157.242.46 to any synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 198.56.248.214 to any synproxy state

# BLOQUEAR IPS BLACKLISTED (N.O ALTERAR)
block return-rst in quick on $externa inet proto tcp from <vlwc> to any
block drop in quick on $externa inet proto tcp from <sshbf> to any
block drop in quick on $externa inet proto tcp from <www> to any
block drop in quick on $externa inet proto tcp from <dns> to any
block drop in quick on $externa inet proto { udp,icmp } from <sshbf> to any
block drop in quick on $externa inet proto { udp,icmp } from <vlwc> to any
block drop in quick on $externa inet proto { udp,icmp } from <www> to any
block drop in quick on $externa inet proto { udp,icmp } from <dns> to any

# SITE
pass in quick on $externa inet proto { tcp,udp } from any to any port { 80 } flags S/SA keep state (max-src-conn 50, max-src-conn-rate 100/3, overload <www> flush global)

# SERVICES
pass in  quick on $externa inet proto { tcp,udp } from any to any port { 8001 } flags S/SA keep state (max-src-conn 250, max-src-conn-rate 300/3, overload <vlwc> flush global)
pass in  quick on $externa inet proto { tcp,udp } from any to any port { 6667,6606,7004 } flags S/SA keep state (max-src-conn 250, max-src-conn-rate 300/3, overload <vlwc> flush global)
pass in  quick on $externa inet proto { tcp,udp } from any to any port { 5512 } flags S/SA keep state (max-src-conn 600, max-src-conn-rate 600/3, overload <vlwc> flush global)

# PRINCIPAL - SSH
pass inet proto tcp from any to any port { 22,43022 } flags S/SA keep state (max-src-conn 10, max-src-conn-rate 15/10, overload <sshbf> flush global)

# ACESSO EXTERNO (RESOLUCAO DE DNS)
pass in quick on $externa inet proto { udp,tcp } from any to any port { 43, 53 } flags S/SA keep state (max-src-conn 10, max-src-conn-rate 30/5, overload <dns> flush global)

# ACESSO AO MIBBIT
pass in quick on $externa inet proto { tcp,udp,icmp } from 207.192.75.252 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 207.192.75.252 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 64.62.228.82 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 64.62.228.82 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 109.169.29.95 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 109.169.29.95 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 78.129.202.38 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 78.129.202.38 synproxy state

# ACESSO RED5
pass in quick on $externa inet proto { tcp,udp } from any to any port 1935
pass out quick on $externa inet proto { tcp,udp } from any to any port 1935

# ACESSO SERVIDORES SH3LLS E SANTREX
pass in quick on $externa inet proto { tcp,udp } from 67.43.226.134 to any
pass in quick on $externa inet proto { tcp,udp } from 67.220.74.71 to any
pass in quick on $externa inet proto { tcp,udp } from 72.20.53.133 to any
pass in quick on $externa inet proto { tcp,udp } from 67.21.95.74 to any
pass in quick on $externa inet proto { tcp,udp } from 68.168.114.252 to any
pass in quick on $externa inet proto { tcp,udp } from 67.21.95.84 to any
pass in quick on $externa inet proto { tcp,udp } from 46.166.140.109 to any
pass in quick on $externa inet proto { tcp,udp } from 67.220.74.71 to any port 30999

#LIBERAR ACESSO CONFIGURA..O RED5
pass in quick on $externa inet proto { tcp,udp } from any to any port 5080

# PROXYSCAN
pass out quick on $externa inet proto { tcp,udp } from any to any port { 23, 80, 1080, 3128, 8080 }

# IRCDS
pass in  quick on $externa inet proto tcp from any to 192.184.40.226 port $40_226 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.227 port $40_227 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.228 port $40_228 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.229 port $40_229 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.230 port $40_230 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.231 port $40_231 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.232 port $40_232 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.233 port $40_233 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.234 port $40_234 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.235 port $40_235 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.236 port $40_236 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.237 port $40_237 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.238 port $40_238 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.239 port $40_239 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.240 port $40_240 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.241 port $40_241 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.242 port $40_242 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.243 port $40_243 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.244 port $40_244 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.245 port $40_245 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.246 port $40_246 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.247 port $40_247 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.248 port $40_248 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.249 port $40_249 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.250 port $40_250 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.251 port $40_251 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.252 port $40_252 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.253 port $40_253 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.40.254 port $40_254 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.37.10 port $37_10 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.37.11 port $37_11 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.37.12 port $37_12 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.37.13 port $37_13 synproxy state flags S/SA
pass in  quick on $externa inet proto tcp from any to 192.184.37.14 port $37_14 synproxy state flags S/SA

# ACESSO EXTERNO (ENVIO DE EMAILS)
#pass out quick on $externa inet proto { tcp } from 67.43.224.66 to any port { 25, 110, 995, 6667 } modulate state

# ACESSO A TUDO - DNS afraid.org
pass in quick on $externa inet proto { tcp,udp,icmp } from { 66.252.5.14, 174.37.196.55, 208.78.69.112 } to any synproxy state
#pass out quick on $externa inet proto { tcp,udp,icmp } from any to { 66.252.5.14, 174.37.196.55, 208.78.69.112 } synproxy state

# ACESSO A TUDO - Whois.nic.br
pass in quick on $externa inet proto { tcp,udp,icmp } from 200.160.2.3 to any synproxy state
#pass out quick on $externa inet proto { tcp,udp,icmp } from any to 200.160.2.3 synproxy state

# ACESSO AO NTP.BR
#pass in quick on $externa inet proto { tcp,udp,icmp } from { a.ntp.br,b.ntp.br,c.ntp.br,www.webmin.com,216.34.181.97 } to any
#pass out quick on $externa inet proto { tcp,udp,icmp } from any to { a.ntp.br,b.ntp.br,c.ntp.br,www.webmin.com,216.34.181.97 }

Thank you.
 
For a quick glance at the rules, I can't spot anything that jumps out. As far as panics, I've had non-sensical reply-to/route-to statements cause a panic for me on 9.1-RELEASE if I remember right. I've had doing a reload after messing around with adding and removing anchor rules cause a panic on 10.0-STABLE.

What I would suggest doing a bit of a stress test between using pfctl -f /etc/pf.conf and service pf reload. The former just reloads rules while the latter flushes out everything but state entries before loading the rules (see what in the script /etc/rc.d/pf). Maybe the reload will flush out everything that could conflict. If it is reproducible and you can comment rules out and reload multiple times you can probably narrow down what is causing issues.

With regards to order, if it doesn't complain you should be fine. If you look at how it re-orders everything given the ruleset-optimization using pfctl -s rules or pfctl -sr for short you can probably reorder or shorten it. As far as the rules, the synproxy directive is generally not something you want to do in most cases. Is there a reason you are using it everywhere? It makes sense as a potential response to an in progress DDoS but should be avoided during normal use.
 
First of all, thank you for your answer.
Yes, I'm using synproxy state due to DDoS attacks.
I have checked all the config over again and made some changes. Last time I flushed pf, all went fine.
I think that maybe what was causing the panic was because I was using a "pass in quick" rule before the "block in all" rule.
I moved the "block in all" first, and all the rest "pass in quick" after. Seems to be fine.

Thank you.
 
You must log in or register to reply here.
Back
Top