DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default authpf, authpf.rules unable to modify filters

Hello all:

I am wondering if anyone has seen symptoms like these.

I use authpf to open access to users who authenticate to our firewall. Since we have many different groups to manage, I have created /etc/authpf/users/Templates where I keep rulesets for the different groups and then in individual users' /etc/authpf/users/Username directories I just create a symbolic link to the appropriate file in Templates. It's worked for quite a while.

Today a user called and said that their putty session would close immediately after they had logged in. In /var/log/daemon I saw:

May 8 11:47:02 our-fw authpf[14121]: pfctl exited abnormally

First I logged in with my authpf account and had no trouble getting authenticated. Since my account links to a different ruleset file, I then created an account that linked to the same ruleset as my other user and got this when I logged in:

pfctl: DIOCXCOMMIT: Device busy
Unable to modify filters

After some tinkering, it seems that if I have a table defined in the authpf ruleset file, pfctl can't load the changes.

I suspect that if I reboot our firewall, this will go away but I'd like to see if I can diagnose the problem better. Any suggestions on other things to investigate?

thx
kmb

Last edited by kbeaucha; 8th May 2012 at 08:33 PM. Reason: correct typo.
Reply With Quote
  #2   (View Single Post)  
Old 8th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Googling for
Code:
pftcl: DIOCXCOMMIT: Device busy
returns only one reported problem, the source of which was an incorrectly upgraded system; the kernel and userland were incompatible. So one possible reason for the error is a Frankensystem. You might want to ensure your /sbin/pfctl and your kernel are from the same -release.

If you are certain your software is in sync, the next step would be to grep through the pfctl and PF source code to determine the logic that would produce the message. You will find pfctl(8) source in src/sbin/pfctl, and pf(4) source in src/sys/net.

Last edited by jggimi; 8th May 2012 at 07:19 PM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 8th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hah. No wonder only one hit. Well, two, but duplicate finds. You had a typo in your error message. Try Googling with "pfctl" instead of "pftcl". Lots more hits. Including the pf(4) man page. Highlight mine:
Quote:
DIOCXCOMMIT struct pfioc_trans *io

Atomically switch a vector of inactive rulesets to the active rulesets. This call is implemented as a standard two-phase commit, which will either fail for all rulesets or completely succeed. All tickets need to be valid. This ioctl returns EBUSY if another process is concurrently updating some of the same rulesets.
Reply With Quote
  #4   (View Single Post)  
Old 8th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

Sorry - finger trouble. Just washed my hands and can't do a thing with 'em.

So, one possibility is that another process is updating the same rules, which makes me look at my sym-linking of ruleset files. But..., as far as I know we've had multiple users in the same group (same linked file) online simultaneously before with no issues.

kmb
Reply With Quote
  #5   (View Single Post)  
Old 8th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

Still thinking about the linking and realized that I may have excluded the possibility of this being the problem.

When I wanted to do more testing I copied user.rules to broken.rules - and my test account was the only one linked to that file.
Reply With Quote
  #6   (View Single Post)  
Old 8th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

OK; if multiple users of your symlinked tree is not the cause, then let's start over. You won't need clean hands.
  1. What's the output of $ ls -l /sbin/pfctl ?
  2. What's the output of $ sysctl kern.version ?
Reply With Quote
  #7   (View Single Post)  
Old 9th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

1. What's the output of $ ls -l /sbin/pfctl ?

-r-xr-xr-x 1 root bin 528664 Aug 17 2011 /sbin/pfctl

2. What's the output of $ sysctl kern.version ?

kern.version=OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011
deraadt@amd64.openbsd.org:/usr/src/s...ile/GENERIC.MP
Reply With Quote
  #8   (View Single Post)  
Old 9th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

OK ... pfctl and the kernel are in sync, you do not appear to have a Frankensystem.

At this point I believe you have five options you may select from. And you may select more than one.
  1. Review the source code to determine the logic that is occurring to produce the error, to aid with root cause determination and (if you are a C programmer) perhaps develop and submit a patch if a flaw in logic is uncovered. Even if you do not find the trouble and develop a fix on your own, this may help should you avail yourself of options 2 or 3 and that results in patches being sent to you by a developer for testing.
  2. Post an informal problem report to the misc@ mailing list to ask advice, similarly to what you have done here. You will need to include more information than you've posted here, however. Minimally, you should post a complete dmesg and a clarified description of the symbolic structure you've touched on here.
  3. Post a formal problem report. The problem tracking database is currently shut down so sendbug(1) may be used as the fill-in-the-blanks form with the results mailed to the bugs@ mailing list.
  4. Upgrade the gateway platform (or a test gateway) to 5.1-release, and then to -current, in order to determine if the problem has been eliminated with code committed since August of last year, when 5.0 was readied for release.
  5. Wait and hope someone else replies here.
Reply With Quote
  #9   (View Single Post)  
Old 9th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Oops, forgot to add helpful links, on problem reporting and using the mailing lists:

http://www.openbsd.org/report.html
http://www.openbsd.org/mail.html
Reply With Quote
Old 9th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

I just tried to recheck my main ruleset with "sudo pfctl -nf /etc/pf.conf" and got this message:

pfctl: Current pool size exceeds requested hard limit
Reply With Quote
Old 9th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Ah, hah!

$ man pf.conf
/set limit
Reply With Quote
Old 9th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Once again -- forget to give you a link. Defaults are described here in the PF User's Guide:

http://www.openbsd.org/faq/pf/options.html
Reply With Quote
Old 9th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

I wanted to see if I could free up some memory space without restarting the firewall.

The man page for pfctl says I can use -F to flush specific types of items, including states but I couldn't see how to report what the current usage level is. I was interested in this because if I'm going to set the option I want to have an idea of what the system is using now.
Reply With Quote
Old 9th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

See if the pfctl -s or -vs info option is of aid. Systat has pf views, also. Those are the first that come to mind, I'm sure there are plenty of additional tools.
Reply With Quote
Old 10th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

I ran pftcl -vs and saved the output, but I could not map the entries there to a particular pool used by pf. At the same time I had more users calling with problems, so first I tried:

sudo pfctl -F all
sudo pfctl -f /etc/pf.conf

which just returned the same "pfctl: Current pool size exceeds requested hard limit" message. Then:

sudo pfctl -d
sudo pfctl -e

which didn't make any difference either. After that I rebooted the whole firewall.

The problem is gone (for now).

Thanks for your help.

kmb

Last edited by kbeaucha; 10th May 2012 at 07:20 PM. Reason: Add the disable/enable steps
Reply With Quote
Old 10th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
The problem is gone (for now).
It will come back.

What was the output of # pfctl -vs info ?
Reply With Quote
Old 10th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

Omitting the Filters and States info, here's the contents:

Quote:
SOURCE TRACKING NODES:
2xx.2xx.2xx.2xx ( states 1, connections 1, rate 0.0/15s )
age 01:27:04, 3179 pkts, 245041 bytes, rule 23

INFO:
Status: Enabled for 70 days 22:37:59 Debug: err

Hostid: 0x15eae5c6
Checksum: 0x9b99f13557076d1b96d1485fa56fcb1e

State Table Total Rate
current entries 194
searches 11607351726 1893.7/s
inserts 6858155 1.1/s
removals 6857961 1.1/s
Source Tracking Table
current entries 1
searches 7580 0.0/s
inserts 2305 0.0/s
removals 2304 0.0/s
Counters
match 9875286688 1611.1/s
bad-offset 0 0.0/s
fragment 201 0.0/s
short 7597829 1.2/s
normalize 202 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 35048 0.0/s
proto-cksum 0 0.0/s
state-mismatch 30788 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 306 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 60 0.0/s
max-src-conn-rate 249 0.0/s
overload table insertion 306 0.0/s
overload flush states 306 0.0/s

TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s

LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000

TABLES:
-pa---- ACU_MAC
-pa-r-- AX_SRV
-pa-r-- AX_STN
-pa-r-- BOGONS
-pa---- BUCCC
-pa-r-- DBLINK
-pa-r-- DEPT
-pa---- DMZ
-pa-r-- FTP
-pa-r-- HRIF_USR
-pa-r-- JAIL
-pa-r-- ME
-pa-r-- PRINT_SRV
-pa-r-- PRIV_DHCP
-pa-r-- PSCL
-pa-r-- R2_SRV
-pa-r-- R2_STN
-pa-r-- SHARE_SRV
-pa-r-- SHARE_STN
-pa-r-- TELNET
--a-r-- TIMBUK_SRV
--a-r-- TIMBUK_STN
-pa-r-- TS_SRV
-pa-r-- TS_STN
-pa-r-- UNI_SRV

OS FINGERPRINTS:
700 fingerprints loaded
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
authpf setup dbach OpenBSD General 14 19th January 2013 04:25 AM
transparent firewall & authpf? ll2ollvll3o OpenBSD General 2 10th April 2012 12:42 AM
Configuring authpf freebsd kasse FreeBSD General 0 7th February 2009 12:32 PM
Exempting clients from AuthPF Kristijan NetBSD Security 1 12th July 2008 12:09 AM
Modify host-level firewall rules (without getting locked out) anomie Guides 13 16th June 2008 04:26 AM


All times are GMT. The time now is 11:56 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick