Date: Sat, 22 Sep 2001 17:08:20 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: Chris Hardie <chris@summersault.com> Cc: freebsd-hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? Message-ID: <200109221508.RAA66779@info.iet.unipi.it> In-Reply-To: <Pine.BSF.4.40.0109220914270.79903-100000@nollie.summersault.com> from Chris Hardie at "Sep 22, 2001 09:15:54 am"
next in thread | previous in thread | raw e-mail | index | archive | help
in fact one_pass does not work with bridging,
it might be as simple as changing one line in bridge.c
if (ip_fw_chk_ptr && bdg_ipfw != 0 && src != NULL) {
struct ip *ip ;
int i;
- if (rule != NULL) /* dummynet packet, already partially processed */
+ if (rule != NULL && fw_one_pass)
goto forward; /* HACK! I should obey the fw_one_pass */
but i never had a chance to test it.
If you want to give this a try, I'd be glad to know how it works.
cheers
luigi
> Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and
> a customized rc.firewall config. The setup has been working well for
> a while now. I was unfortunately alerted to a hole after a box behind
> the firewall was cracked because ports that I thought were
> protected...weren't.
>
> It turns out that traffic to/from the machine in question was being
> passed through a pipe early in the rc.firewall config, and that the
> ipfw processing terminated when the packets came out of the pipe, so
> they never saw the rules farther down that would have dropped those
> packets headed for bad places.
>
> A-ha! "Easy" you say - just do
> sysctl -w net.inet.ip.fw.one_pass=0
> and according to the ipfw man page, that will cause the packets to be
> re-injected into the firewall when they come out of the pipe, starting
> where they left off. Well, this just doesn't seem to be taking
> effect!
>
> I've crawled through docs and mailing lists. Setting
> net.inet.ip.fw.one_pass seems to be the common solution, but a few
> other people have mentioned the same ineffectiveness of that, and then
> those threads just drop off. So I'm wondering if it's possible that,
> because the kernel is compiled with "options BRIDGE", that packets are
> strictly only going through the firewall rules once, and that
> net.inet.ip.fw.one_pass=0 isn't having an effect in this case?
>
> If my wondering is in error, I'm looking for suggestions about how to
> verify the behavior I'm seeing and how to achieve the desired result: to
> use pipes AND deny rules that come after. I'm happy to send along the
> particular rules, but wanted to see if the question could be answered
> using theory first.
>
> (This message addresses an issue similar to but separate from the "ipfw"
> thread on freebsd-questions started by Rick Norman on Sep 18. I also
> posted this message there.)
>
> Any help is much appreciated.
>
> Thanks,
> Chris
>
> -- Chris Hardie -----------------------------
> ----- mailto:chris@summersault.com ----------
> -------- http://www.summersault.com/chris/ --
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109221508.RAA66779>