PF 阻挡标志

PF 阻挡标志

FreeBSD 12服务器,我开始注意到普法正在阻止Flags [FP.],日志中充斥着类似这样的内容:

00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.59.122.48894: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 141.101.98.92.16036: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.89.53.45136: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.88.60.43016: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.89.101.58320: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.179.50.21756: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.91.39.18516: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.90.202.25684: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 172.69.226.63.52316: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000003 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.90.202.25662: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP
00:00:00.000005 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 198.41.242.26.29508: Flags [FP.], seq 0:187, ack 1, win 65535, length 187: HTTP

知道为什么会发生这种情况吗?

规则 2 是

@2 block drop log all

服务器主要运行HAproxy以下设置/etc/sysctl.conf

debug.debugger_on_panic=0
debug.trace_on_panic=1
kern.ipc.shmmax=2147483648
kern.ipc.somaxconn=32768
kern.panic_reboot_wait_time=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.icmplim=10
net.inet.icmp.log_redirect=0
net.inet.icmp.maskrepl=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.sourceroute=0
net.inet.tcp.blackhole=2
net.inet.tcp.drop_synfin=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.finwait2_timeout=1000
net.inet.tcp.msl=2500
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.recvbuf_inc=16384
net.inet.tcp.recvbuf_max=134217728
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.sendbuf_max=134217728
net.inet.udp.blackhole=1
security.bsd.see_other_gids=0
security.bsd.see_other_uids=0
security.bsd.see_jail_proc=0
security.bsd.stack_guard_page=1
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0
net.inet.tcp.mssdflt=1460
net.inet.tcp.minmss=536
net.inet.tcp.syncache.rexmtlimit=0
net.inet.ip.maxfragpackets=0
net.inet.ip.maxfragsperpacket=0
net.inet.tcp.abc_l_var=44
net.inet.tcp.initcwnd_segments=44
kern.ipc.maxsockbuf=614400000
net.inet.tcp.syncookies=1
net.inet.tcp.tso=1
kern.random.fortuna.minpoolsize=256
net.inet.tcp.isn_reseed_interval=123

这些是pf添加pass前面的规则block(规则 2 现在是规则 7)

scrub in all no-df max-mss 1440 fragment reassemble
block drop in log on ! bge0 inet6 from 2001:4ba0:85a3:105::/64 to any
block drop in log on bge0 inet6 from fe80::eeeb:b8ff:fe87:9514 to any
block drop in log inet6 from <__automatic_2bacaf44_0:7> to any
block drop in log on ! bge0 inet from 213.59.241.128/25 to any
block drop in log inet from 213.59.241.172 to any
pass quick from <allow:5> to any flags S/SA keep state (if-bound)
block drop log all
block drop quick from <banned:0> to any
block drop quick from <bruteforce:0> to any
block drop in log quick from no-route to any
block drop in quick on bge0 proto tcp all flags FPU/FSRPAUEW
block drop in quick on bge0 proto tcp all flags FSRPAUEW/FSRPAUEW
block drop in quick on bge0 proto tcp all flags FSRAU/FSRPAUEW
block drop in quick on bge0 proto tcp all flags /FSRPAUEW
block drop in quick on bge0 proto tcp all flags SR/SR
block drop in quick on bge0 proto tcp all flags FS/FS
pass in quick on bge0 proto tcp from any to any port = http flags S/SA keep state (if-bound)
pass in quick on bge0 proto tcp from any to any port = https flags S/SA keep state (if-bound)
pass in quick on bge0 proto tcp from any to any port = 2222 flags S/SA keep state (if-bound)
pass in quick proto ipencap all keep state (if-bound)
pass inet proto icmp all icmp-type echoreq keep state (if-bound)
pass inet proto icmp all icmp-type unreach keep state (if-bound)
pass proto ipv6-icmp all keep state (if-bound)
pass out quick proto tcp all flags S/SA keep state (if-bound)
pass out all flags S/SA keep state (if-bound)

对于此行:

pass quick from <allow:5> to any flags S/SA keep state (if-bound)

允许是table,类似于:

group1 = "10.0.0.4"
group2 = "5.19.152.31 95.116.0.173:"
table <allow> { $group1, $group2 }

我注意到的是,甚至在pass之前我也有block

pass quick from <allow:5> to any flags S/SA keep state (if-bound)
block drop log all

一些“允许”的群组被阻止,例如:

00:00:00.589761 rule 7/0(match): block out on bge0: 213.59.241.172.4567 > 5.19.152.31.61847: Flags [RP.], seq 2:81, ack 0, win 0, length 79

是,在这种情况下,是在表中rule 7,但被阻止block drop log all5.19.152.31allow

因此,想知道如何在被阻止之前完全允许/跳过某些 IP、网络范围。

答案1

看起来 Pf 对这些 TCP 流的看法与对等的 TCP/IP 堆栈的看法不匹配。

我推荐…

  1. state-mismatch当您在日志中看到这些条目时,检查是否有所增加,例如:

    sudo pfctl -s info | fgrep -- state-mismatch
    

    当然,-s info也要检查其他计数器,例如,确保没有因为内存压力而修剪状态。

  2. scrub至少在调试该问题时将其完全消除。

如果除了日志混乱之外还有什么问题,或者你非常希望流量自由流动,不被 Pf 抛弃,你可以添加明确的pass … no state捕捉规则,当然是根据您的喜好量身定制的。

答案2

我建议从这个配置开始(是的,我跳过了 mtu 调整,直到你解释为什么选择 1440 大小),因为你的配置一团糟:

oif = "bge0"

# because you don't want to filter localhost
set skip on lo0

# because it's a default rule
block drop log all

# because you don't want to drop ICMP
pass proto icmp all

# or ICMP6
pass proto ipv6-icmp all

# okay then
block drop quick from <banned:0> to any
block drop quick from <bruteforce:0> to any

# because you need ssh (is the 2222 new port for ssh ? Jeezus, use blacklistd)
pass in on $oif proto tcp from any to any port 22

# because flags S/SA and keep state is the default
pass in on $oif proto tcp from any to any port { 80, 443, 2222 }

# because you need to configure both ends with ipinip, so why bother about states
pass in on $oif proto ipencap all

# because you want to allow all the locally-originated sessions
pass out all

相关内容