From owner-freebsd-ipfw Sat Sep 22 7:16: 1 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from nollie.summersault.com (nollie.summersault.com [208.10.44.140]) by hub.freebsd.org (Postfix) with SMTP id AD69037B411 for ; Sat, 22 Sep 2001 07:15:54 -0700 (PDT) Received: (qmail 30190 invoked by uid 1001); 22 Sep 2001 14:15:54 -0000 Date: Sat, 22 Sep 2001 09:15:54 -0500 (EST) From: Chris Hardie To: freebsd-hackers@freebsd.org, Subject: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? Message-ID: X-Request-PGP: http://www.summersault.com/chris/me/pgp-pubring.txt MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and a customized rc.firewall config. The setup has been working well for a while now. I was unfortunately alerted to a hole after a box behind the firewall was cracked because ports that I thought were protected...weren't. It turns out that traffic to/from the machine in question was being passed through a pipe early in the rc.firewall config, and that the ipfw processing terminated when the packets came out of the pipe, so they never saw the rules farther down that would have dropped those packets headed for bad places. A-ha! "Easy" you say - just do sysctl -w net.inet.ip.fw.one_pass=0 and according to the ipfw man page, that will cause the packets to be re-injected into the firewall when they come out of the pipe, starting where they left off. Well, this just doesn't seem to be taking effect! I've crawled through docs and mailing lists. Setting net.inet.ip.fw.one_pass seems to be the common solution, but a few other people have mentioned the same ineffectiveness of that, and then those threads just drop off. So I'm wondering if it's possible that, because the kernel is compiled with "options BRIDGE", that packets are strictly only going through the firewall rules once, and that net.inet.ip.fw.one_pass=0 isn't having an effect in this case? If my wondering is in error, I'm looking for suggestions about how to verify the behavior I'm seeing and how to achieve the desired result: to use pipes AND deny rules that come after. I'm happy to send along the particular rules, but wanted to see if the question could be answered using theory first. (This message addresses an issue similar to but separate from the "ipfw" thread on freebsd-questions started by Rick Norman on Sep 18. I also posted this message there.) Any help is much appreciated. Thanks, Chris -- Chris Hardie ----------------------------- ----- mailto:chris@summersault.com ---------- -------- http://www.summersault.com/chris/ -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message