Bug #6769: Crash PacketFilter in bridge mode - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #6769

closed

Crash PacketFilter in bridge mode

Added by Johann MONNIER over 7 years ago. Updated over 7 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Rules / NAT

Target version:

2.4.0

Start date:

09/06/2016

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.3.2

Affected Architecture:

amd64

Description

Hi,

I have configured pfsense in bridge mode on the Vmware Vsphere. The VM of Pfsense have 8Go of memory and one socket with 8 cores.
For reproduce this bug, just install a fresh version of pfsense 2.3.2 and configure WAN and bridge with LAN.
set:
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1

Now, create a VM on the LAN and attribute IP (137.74.245.50).
Install on the VM LAN web service of your choice (Nginx, Apache, etc).

Create a firewall rule on the bridge interface, Allow all source to VMWEB and HTTP port only.
So far, no problems.
BUT now, open this rule and configure advanced paraméter with that :

Max. connections 40
Max. src. conn. Rate 60
Max. src. conn. Rates 4
State timeout 3
State type Synproxy

Well, now apply this rule and create traffic on web service.
Wait, after randomly minutes, Packfilter crash and all connectivity are broken even pfsense gui.
The solution for unblock this situation:
open shell and disable packetfilter : pfctl -d
and delete advanced configuration of rule create before.

History
Notes
Property changes

Actions

Copy link

Updated by Jim Pingle over 7 years ago

Category changed from Gateways to Rules / NAT
Status changed from New to Feedback
Priority changed from Urgent to Normal
Target version deleted (~~2.3.2-p1~~)

Does it require that specific combination of settings? Or does it still crash with only one of them active? or two? or three?

We need some more solid information.

I could see synproxy failing on a bridge on its own because of how it operates. You can't proxy on a bridge because the traffic isn't destined for the firewall. Local client sends the packets straight to its gateway, which is upstream and not pfSense, and same in the other direction: gateway sends straight to the client. A proxy style handoff such as that requires both sides address traffic to the firewall (e.g. routed, NAT, etc, but not bridged). I'd remove that option first.

If synproxy is to blame we may have to work out some input validation to reject it on a bridge member interface since it's not likely to be fixable in that use case.

Actions

Copy link

Updated by Johann MONNIER over 7 years ago

Synproxy is not the setting that problem because I left it on and I do not have the problem.
and for information synproxy bridge works even after testing to make synflood spoof. If disabled, the spoofer synflood reached the target, if it is activated, it does not reach the target.

The problem can be found in the following settings:
Max. 40 connections
Max. src. Conn. Rate 60
Max. src. Conn. 4 Rates
State timeout 3

I think it is statetimeout problematic.

Also, I had the same problem on a rule that worked great with the above advanced settings but with only statetimeout 6 and when I passed the firewall to "aggressive" and Packet filter is down. I had to remove the advanced settings of the rules and restart pfsense.

Actions

Copy link

Updated by Jim Pingle over 7 years ago

Can you isolate it to just one of those options then? Or does it require them all? Can you disable/enable them to see if they each crash on their own or if it takes a specific set?

Actions

Copy link

Updated by Johann MONNIER over 7 years ago

i think the problem is with all parameter set and the scenario most probability than is if number connexion over the setting set in advanced (with the parameter statetimeout 3) than packet filter crash.

I don't have possibility to try because my system is in production.

i purpose you try with this setting for reproduce fastly the problème:

Max. 10 connections
Max. src. Conn. Rate 10
Max. src. Conn. Rates 30
State timeout 3

if you want, i have possibility to set up the same système on a other server for you and test

Actions

Copy link

Updated by Johann MONNIER over 7 years ago

I confirm than crash if you set advanced parameter but randomly... for unknow reason. I have reboot five time pfsense and crash again but i delete advanced rules solve the problem.

And strange, now if i set synproxy dont connection is possible to reach webserver. Or this parameter are set pending uptime nine day and opérationnal with the synflood in bridge mode.

I Think look seriously at the problem in bridge mode. I guess no one uses this method because it seems strange to me at this stage of the pfsense version to meet an unstable behavior...

Actions

Copy link

Updated by Johann MONNIER over 7 years ago

Ok, without advanced settings set in the rules on the firewall not more crash. Now it's stable.

Actions

Copy link

Updated by Jim Thompson over 7 years ago

Assignee set to Jim Pingle

Actions

Copy link

Updated by Jim Pingle over 7 years ago

Status changed from Feedback to Resolved
Assignee deleted (~~Jim Pingle~~)

I can reproduce this somewhat here on 2.3.2. With a WAN/LAN style bridge, putting synproxy on a TCP rule will eventually kill traffic to the firewall. The other advanced parameters appeared to be fine without synproxy, the client ended up in the virusprot table as expected when violating the limits. Clear them out of the table and they're fine.

It's fairly easy to reproduce: Setup a WAN/LAN bridge, (WAN=bridge0, other interfaces are bridge members with no IP address), IP address on the bridge, filtering on the bridge only. Add a TCP rule to pass with synproxy, put a client on WAN and a client on LAN, run iperf from the WAN client to LAN server, after a couple iterations the GUI will not be reachable until pf is disabled and the synproxy rule is removed or disabled.

That said, as I mentioned before, using synproxy on a bridge is likely to be a problem in general. A bridge cannot proxy properly as the host with the bridge is not the true destination for the traffic. Though since it works partially and then fails, there may be some other factor at play.

And above all of that, I cannot reproduce it at all on 2.4. The exact same configuration that has a problem on 2.3.2 works fine on 2.4, I never lose contact with anything. So I'm closing this out.

Actions

Copy link

Updated by Jim Pingle over 7 years ago

Target version set to 2.4.0
% Done changed from 0 to 100
Affected Version set to 2.3.2

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #6769

Crash PacketFilter in bridge mode

Updated by Jim Pingle over 7 years ago

Updated by Johann MONNIER over 7 years ago

Updated by Jim Pingle over 7 years ago

Updated by Johann MONNIER over 7 years ago

Updated by Johann MONNIER over 7 years ago

Updated by Johann MONNIER over 7 years ago

Updated by Jim Thompson over 7 years ago

Updated by Jim Pingle over 7 years ago

Updated by Jim Pingle over 7 years ago