overload clause does not adds IP to <table>

[joeves]

After 6 years using simple PF configs I did progress to tables and STO, but the content of the <block_perm> does not have new entries regardless what is happening on the EXT_NIC, EXT_IP. In addition to that it all works as it should (at least it appears to) so if there is triggered the one parameter in SSH_STO the machine which causes the triger can't access the SSH no more - still can ping.

It just is not possible to list/see the blocked IP with any tools available. Am I wrong or there is a bug? FreeBSD 8.2, ALTQ in kernel, i386.

SYN_ONLY="S/FSRA"
EXT_NIC="fxp0"
EXT_IP="192.168.100.70"
ALLOWED_IP="{ 192.168.100.224, 192.168.100.205, 192.168.100.229 }"
GATEWAY_IP="{ 192.168.100.1 }"
safe_ftp_dest ="{ 87.51.34.132, 204.152.184.73, 149.20.64.73 }"
safe_dns_dest ="{ 8.8.8.8, 8.8.4.4 }"
SSH_STO ="( max 3, source-track rule, max-src-states 3, max-src-nodes 3,\
max-src-conn-rate 3/60, overload <block_perm> flush global )"

# Note and example: Bellow are refered some services
# definition listed in /etc/services
# tcp_services = "{ domain, ftp, ftp-data }"
# udp_services = "{ domain }"

table <block_perm> persist

set skip on lo0
set ruleset-optimization none

block quick from <block_perm>
block all

match on $EXT_NIC all scrub \
(random-id min-ttl 64 set-tos reliability reassemble tcp)

antispoof log quick for $EXT_NIC

pass in quick on $EXT_NIC proto TCP from \
$ALLOWED_IP to $EXT_IP port 22 flags $SYN_ONLY keep state $SSH_STO

pass in log quick on $EXT_NIC proto icmp from \
$ALLOWED_IP to $EXT_IP icmp-type echoreq keep state

pass out log quick on $EXT_NIC proto tcp from \
$EXT_IP to $safe_dns_dest port {domain} keep state

pass out log quick on $EXT_NIC proto udp from \
$EXT_IP to $safe_dns_dest port {domain} keep state

pass out log quick on $EXT_NIC proto tcp from \
$EXT_IP to $safe_ftp_dest port {ftp} keep state

pass out log quick on $EXT_NIC proto tcp from \
$EXT_IP to $safe_ftp_dest port > 1023 keep state

 

[joeves]

Test of PF overload clause adding IP to <table>

Tested this.

set skip on lo0
table <oktest> { 10.18.100.100, 10.18.100.11 }
block drop all
pass in quick on em0 proto TCP from 10.18.100.99 to 10.18.100.95 \
port 22 keep state ( max-src-con-rate 2/60, overload <oktest> )

With Putty I access the .95 from .99 three times in minute and this is the result - finally.

# pfctl -sr
block drop all
pass in quick on em0 inet proto tcp from 10.18.100.99 to 10.18.100.95 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 2/60, overload <oktest>, src.track 60)

# pfctl -t oktest -Ts
   10.18.100.99           <<--- I spend 40 hours to get this line here 
   10.18.100.100
   10.18.100.111

Now I added "the rest" and it still works!

# options
set skip on lo0

table <oktest> persist

# normalization
scrub in all

#filtering
block quick from <oktest>
block all

antispoof log quick for em0

pass in quick on em0 proto TCP from 10.18.100.99 to 10.18.100.95 \
port 22 keep state ( max-src-conn-rate 2/60, overload <oktest> )

Well, now someone please help me formulate a conclusion. Why this works and the original ruleset in previous post not?