From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 04:52:04 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C64BC16A4CE for ; Wed, 1 Dec 2004 04:52:04 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id 262D443D5C for ; Wed, 1 Dec 2004 04:52:03 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 9683 invoked by uid 98); 1 Dec 2004 04:52:01 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.254861 secs); 01 Dec 2004 04:52:01 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.254861 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 1 Dec 2004 04:52:01 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: , , Date: Wed, 1 Dec 2004 05:51:35 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 thread-index: AcTXYW7hlr9cPZCNRce1VhCPPF760Q== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Qmail-Scanner-Message-ID: <11018767216989675@xeon-web.ouestil.com> Message-Id: <20041201045203.262D443D5C@mx1.FreeBSD.org> Subject: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 04:52:04 -0000 Hi, I'm afraid about having find a freebsd 5X security issue. We have recently upgraded one gateway from 4.10 to 5.3... Following = network used: =20 [ISP]--xl1--[FW01]-----xl0--em0--[SR01] | |--fxp0--em0--[SR02] On fw01, we have one jail. =20 So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works = (before and after upgrade). On 4.10, we used IPFilter as firewall and for network traffic = accounting. Since upgrade, INCOMING traffic accounting does not work anymore = (OUTGOING working fine)... Thinking this can be a ipfilter issue, and because we are planning to = change for great OpenBSD pf, we have try to do accounting with pf... but same behaviour occurs (tests have be done with big files). From/to inet fw01 jail sr01 sr02 Internet - ok ok KO KO Fw01 ok - ok ok ok Jail ok ok - ok ok Sr01 KO* ok ok - KO Sr02 KO* ok ok KO - * with pf enabled, scp connexion going "stalled" very quickly (stop = between 100 and 300 Kb of traffic) Worst thing, the "default rule" accounting (any to any) does not report "unreported" traffic... feels like rules are not processed. So I = deciding to make another test with pf. Adding "block in quick proto tcp from any to [jail_port] port smtp"; Testing: works fine. But we the same rule with the sr01 as destination host, IT DOESN'T WORK: from internet, fw01 or sr02, we can connect to the tcp port !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs = with IPF!!!!!!!! Details fw01: running FreeBSD 5.3, GENERIC kernel, with modules =3D acpi, ipl, = bridge, nullfs and pf. Sr01: FreeBSD 5.2.1, custom kernel Sr02: FreeBSD 5.3, GENERIC kernel ------------------------------------pf.conf set loginterface fxp1 jail=3D**IP** sr01=3D**IP** sr02=3D**IP** #block in quick proto tcp from any to $sr01 port smtp pass quick from any to $jail keep state label 0 pass quick from $jail to any keep state label 1 pass quick from any to $sr02 keep state label 6 pass quick from $sr02 to any keep state label 7 pass quick from any to $sr01 keep state label 10 pass quick from $sr01 to any keep state label 11 pass all ------------------------------------ Seems to be bridge freebsd 5.3 support related...=20 Can someone take a look at this? Thanks! -- Cl=E9ment Moulin SimpleRezo - Simplifiez-vous le r=E9seau ! T=E9l.: +33 871 763 102 - Web: http://www.simplerezo.com/