Date: Tue, 13 Dec 2005 13:01:22 -0500 From: David Pierron <david@wombatsweb.com> To: Michiel Kranenburg <michiel@nl-hrln-ptgrf.net> Cc: freebsd-pf@freebsd.org Subject: Re: Possible bug in PF with if_bridge Message-ID: <439F0C72.5000009@wombatsweb.com> In-Reply-To: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> References: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Michiel Kranenburg on 12/13/2005 12:07 PM wrote:
>I may have found a bug in PF (in combination with if_bridge) for
>FreeBSD6.0-RELEASE.
>
>
>Let me explain my situation first:
>
>The xl1 and xl2 interfaces are connected together as a bridge (bridge0).
>
>The sysctl settings that are used:
>net.link.bridge.pfil_bridge=1
>net.link.bridge.pfil_member=1
>
>After applying these settings and configuring ifconfig, a new interface pops
>up.
>
>---------------------------------------------
>bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
> ether ac:de:48:8c:58:62
> priority 32768 hellotime 2 fwddelay 15 maxage 20
> member: xl2 flags=3<LEARNING,DISCOVER>
> member: xl1 flags=3<LEARNING,DISCOVER>
>---------------------------------------------
>
>The bridge is working fine, and passes al traffic as its supposed too.
>
>
>The weird thing occurs when using PF to filter the bridge.
>Let me post my pf.conf first: (I did not post the declaration of variables
>on top of the conf)
>
>---------------------------------------------
>scrub in all
>
>block in log on bridge0 from any to $mynet
>block return-rst in log on bridge0 proto tcp from any to $mynet
>
>pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state
>pass out on bridge0 proto {tcp,udp} from $mynet to any keep state
>
>pass on lo0 all
>
>
>## ICMP Section ##
>pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep
>state
>pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 }
>keep state
>
>
>## DNS Replys ##
>pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to
>$mynet port 53 keep state
>
>
>## Router ##
>pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA
>keep state
>
>
>## Mail ##
>pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep
>state
>pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags
>S/SA keep state
>
>
>## Web ##
>pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep
>state
>pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep
>state
>---------------------------------------------
>
>
>As you can see, I want to block every incoming packet (if not 'passed' later
>on the ruleset) to the bridge (to the network on the other side).
>
>
>Now comes the strange part:
>
>Behind $web and $mail are running SSH-servers. As defined by the rules, I
>don't want to allow any connection from the outside to the SSH-servers.
>BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and
>some _dont_ (as it supposed to be).
>
>The connections that are accepted (in violation with the PF-rules) to the
>SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets
>as denied, but doesn't block them!).
>
>These faults don't apply to SSH-servers only! It happens to every service on
>the network.
>
>At least, the hosts that I have tested with are not in a specific ip-range.
>I just picked some random hosts with different ip-addresses and tried to
>telnet to the service-ports, with some
>hosts I got a nice 'return-rst' packet, telling me that the connection is
>refused. With others I got the service response.
>
>
>I hope some of you guys can help me out.
>
>Please CC me as i'm not subscribed to this list.
>
I am new to PF and if_bridge ... so I am guessing here, but I do have
first hand experience in just setting one up ... I am still playing with
rulesets to get it just right ...
ANYWAY ...
Seems to me that if you want to just use "bridge0" that you should
change your sysctl.conf
net.link.bridge.pfil_member=1
to
net.link.bridge.pfil_member=0
The way I have mine configured is to use the xl0 and xl1 in the rules
(with pfil_member=1) ... I have seen that ftpsesame adds bridge0 rules
dynamically though ...
But, I don't think it's a bug ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?439F0C72.5000009>