https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162016-09-06T07:28:05ZpfSense bugtrackerpfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=288052016-09-06T07:28:05ZJim Pingle
<ul><li><strong>Category</strong> changed from <i>Gateways</i> to <i>Rules / NAT</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Priority</strong> changed from <i>Urgent</i> to <i>Normal</i></li><li><strong>Target version</strong> deleted (<del><i>2.3.2-p1</i></del>)</li></ul><p>Does it require that specific combination of settings? Or does it still crash with only one of them active? or two? or three?</p>
<p>We need some more solid information.</p>
<p>I could see synproxy failing on a bridge on its own because of how it operates. You can't proxy on a bridge because the traffic isn't destined for the firewall. Local client sends the packets straight to its gateway, which is upstream and not pfSense, and same in the other direction: gateway sends straight to the client. A proxy style handoff such as that requires both sides address traffic to the firewall (e.g. routed, NAT, etc, but not bridged). I'd remove that option first.</p>
<p>If synproxy is to blame we may have to work out some input validation to reject it on a bridge member interface since it's not likely to be fixable in that use case.</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=288082016-09-06T09:02:55ZJohann MONNIER
<ul></ul><p>Synproxy is not the setting that problem because I left it on and I do not have the problem.<br />and for information synproxy bridge works even after testing to make synflood spoof. If disabled, the spoofer synflood reached the target, if it is activated, it does not reach the target.</p>
<p>The problem can be found in the following settings:<br />Max. 40 connections<br />Max. src. Conn. Rate 60<br />Max. src. Conn. 4 Rates<br />State timeout 3</p>
<p>I think it is statetimeout problematic.</p>
<p>Also, I had the same problem on a rule that worked great with the above advanced settings but with only statetimeout 6 and when I passed the firewall to "aggressive" and Packet filter is down. I had to remove the advanced settings of the rules and restart pfsense.</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=288092016-09-06T09:04:11ZJim Pingle
<ul></ul><p>Can you isolate it to just one of those options then? Or does it require them all? Can you disable/enable them to see if they each crash on their own or if it takes a specific set?</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=288122016-09-06T09:25:24ZJohann MONNIER
<ul></ul><p>i think the problem is with all parameter set and the scenario most probability than is if number connexion over the setting set in advanced (with the parameter statetimeout 3) than packet filter crash.</p>
<p>I don't have possibility to try because my system is in production.</p>
<p>i purpose you try with this setting for reproduce fastly the problème:</p>
<p>Max. 10 connections<br />Max. src. Conn. Rate 10<br />Max. src. Conn. Rates 30<br />State timeout 3</p>
<p>if you want, i have possibility to set up the same système on a other server for you and test</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=288362016-09-07T04:28:17ZJohann MONNIER
<ul></ul><p>I confirm than crash if you set advanced parameter but randomly... for unknow reason. I have reboot five time pfsense and crash again but i delete advanced rules solve the problem.</p>
<p>And strange, now if i set synproxy dont connection is possible to reach webserver. Or this parameter are set pending uptime nine day and opérationnal with the synflood in bridge mode.</p>
<p>I Think look seriously at the problem in bridge mode. I guess no one uses this method because it seems strange to me at this stage of the pfsense version to meet an unstable behavior...</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=288562016-09-12T05:01:13ZJohann MONNIER
<ul></ul><p>Ok, without advanced settings set in the rules on the firewall not more crash. Now it's stable.</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=292122016-11-03T21:46:59ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=293462016-11-09T11:01:32ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li><li><strong>Assignee</strong> deleted (<del><i>Jim Pingle</i></del>)</li></ul><p>I can reproduce this somewhat here on 2.3.2. With a WAN/LAN style bridge, putting <code>synproxy</code> on a TCP rule will eventually kill traffic to the firewall. The other advanced parameters appeared to be fine without <code>synproxy</code>, the client ended up in the <code>virusprot</code> table as expected when violating the limits. Clear them out of the table and they're fine.</p>
<p>It's fairly easy to reproduce: Setup a WAN/LAN bridge, (WAN=bridge0, other interfaces are bridge members with no IP address), IP address on the bridge, filtering on the bridge only. Add a TCP rule to pass with <code>synproxy</code>, put a client on WAN and a client on LAN, run iperf from the WAN client to LAN server, after a couple iterations the GUI will not be reachable until pf is disabled and the <code>synproxy</code> rule is removed or disabled.</p>
<p>That said, as I mentioned before, using <code>synproxy</code> on a bridge is likely to be a problem in general. A bridge cannot proxy properly as the host with the bridge is not the true destination for the traffic. Though since it works partially and then fails, there may be some other factor at play.</p>
<p>And above all of that, I cannot reproduce it at all on 2.4. The exact same configuration that has a problem on 2.3.2 works fine on 2.4, I never lose contact with anything. So I'm closing this out.</p> pfSense - Bug #6769: Crash PacketFilter in bridge modehttps://redmine.pfsense.org/issues/6769?journal_id=293472016-11-09T11:07:26ZJim Pingle
<ul><li><strong>Target version</strong> set to <i>2.4.0</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li><li><strong>Affected Version</strong> set to <i>2.3.2</i></li></ul>