DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st March 2012
Droid Droid is offline
New User
 
Join Date: Mar 2012
Posts: 3
Thanked 0 Times in 0 Posts
Default Identify rules to behaviour

Hi every one,

I was curious if there was a way with PF to identify what rule react to a specific network action:
The situation I am facing here, is a havy latency when connecting to a specific website. When I disable PF on my box, then every thing goes smooth.. So probably there is a conflict between at least 2 rules..

If someone has any idea of how to debug this, it would be cool as it is really the first time I am facing that kind of crap..

Thank
Reply With Quote
  #2   (View Single Post)  
Old 21st March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,707
Thanked 214 Times in 189 Posts
Default

  1. Log both your pass rules as well as your block rules.
  2. # tcpdump -neti pflog0 host ip.address.of.interest

    You will see block/pass rules applied to initial state packets for that IP address. If PF rules do not seem to point to a problem source, then use tcpdump(8) on the NIC:
  3. # tcpdump -neti nic host ip.address.of.interest
Reply With Quote
  #3   (View Single Post)  
Old 23rd March 2012
Droid Droid is offline
New User
 
Join Date: Mar 2012
Posts: 3
Thanked 0 Times in 0 Posts
Default

Thanks jggimi,
I can see that my packets are passing over and not blocked. However I still have a latency when trying to connect to this specific web site.
at the first connection, it load correctly and then when hitting links it hang. The browser show 'thinking' for ever....

Any Ideas would be great ..
Thanks,
Reply With Quote
  #4   (View Single Post)  
Old 24th March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,707
Thanked 214 Times in 189 Posts
Default

"Hang" and "Thinking forever" are not how I would define the term "latency".

You have described a breakdown in communication. You have also asked how to diagnose it.

I would look for a root cause by first determining what those "links" are that you describe, to determine what they do. HTTP? URLs? Javascript code? Java applet execution? Lotus Notes URIs? FTP URLs? Gopher?..... "Link" is too generic, ain''t it?

If and only if you have determined that you do, indeed, have a networking problem, instead of an application problem, then you can move to Step 3, above. One exception: if these are FTP URLs which fail for you and your users, I would look to your PF configuration once more. See the PF Users Guide chapter on Issues with FTP.
Reply With Quote
  #5   (View Single Post)  
Old 25th March 2012
Droid Droid is offline
New User
 
Join Date: Mar 2012
Posts: 3
Thanked 0 Times in 0 Posts
Default

You are right Jggimi, I was not enough precise in my description.. It is lso because I have difficulties to identify the real cause. I will try to detail a bit more:
I talk about an https link that point on an OpenSource Application.
This appliction is based on:
CentOS, Appache2, Mysql, phpMysql, Perl.
Consider the DB server installed separatly of the www server.
That envirronnement is facing internet.
When connecting from anywhere on the net, the application (understand the web interface) do not hang. But when connecting from behind the OBSD box, it hang after few minutes... I did tryed to sniff on one of the machines connecting from behind the box and I can see many bad TCP (TCP retransmission, TCP Dup Ack).
Usually it is at those steps that the page start to hang. From outside (means anywhere on the net) I noticed the same bad TCP, but it does not hang.
If I disable pf, the app work fine....
From behind the box any access to internet web sites is good.
Hope I was clearer here.. Thanx
Reply With Quote
  #6   (View Single Post)  
Old 25th March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,707
Thanked 214 Times in 189 Posts
Default

From your somewhat better description, it appears to me that your PF configuration is not handling TCP retransmissions or TCP fragments properly.

I would look to any settings you may have copied/pasted from someone else's PF configuration. Flags on rules affect state table management. Scrub rules affect packet fragments, reassembly, and traffic normalization. Runtime options could also be a cause.

Since you have not shared your pf.conf file, this is all just a wild guess, of course. If you decide to share it, just redact any "real" IP addresses or other identifying information.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf rules - list syntax drummondislebsd OpenBSD Security 1 9th January 2011 07:36 PM
PF Rules for DoS chazz FreeBSD Security 3 14th July 2009 09:35 PM
Help with pf rules TerranAce007 OpenBSD General 4 16th January 2009 10:14 PM
strange behaviour after improper shutdown karri FreeBSD General 1 15th October 2008 03:08 PM
Funny network behaviour :) PatrickBaer General software and network 5 9th October 2008 09:47 AM


All times are GMT. The time now is 01:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick