Date: Tue, 13 Dec 2005 13:01:22 -0500 From: David Pierron <david@wombatsweb.com> To: Michiel Kranenburg <michiel@nl-hrln-ptgrf.net> Cc: freebsd-pf@freebsd.org Subject: Re: Possible bug in PF with if_bridge Message-ID: <439F0C72.5000009@wombatsweb.com> In-Reply-To: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> References: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Michiel Kranenburg on 12/13/2005 12:07 PM wrote: >I may have found a bug in PF (in combination with if_bridge) for >FreeBSD6.0-RELEASE. > > >Let me explain my situation first: > >The xl1 and xl2 interfaces are connected together as a bridge (bridge0). > >The sysctl settings that are used: >net.link.bridge.pfil_bridge=1 >net.link.bridge.pfil_member=1 > >After applying these settings and configuring ifconfig, a new interface pops >up. > >--------------------------------------------- >bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500 > ether ac:de:48:8c:58:62 > priority 32768 hellotime 2 fwddelay 15 maxage 20 > member: xl2 flags=3<LEARNING,DISCOVER> > member: xl1 flags=3<LEARNING,DISCOVER> >--------------------------------------------- > >The bridge is working fine, and passes al traffic as its supposed too. > > >The weird thing occurs when using PF to filter the bridge. >Let me post my pf.conf first: (I did not post the declaration of variables >on top of the conf) > >--------------------------------------------- >scrub in all > >block in log on bridge0 from any to $mynet >block return-rst in log on bridge0 proto tcp from any to $mynet > >pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state >pass out on bridge0 proto {tcp,udp} from $mynet to any keep state > >pass on lo0 all > > >## ICMP Section ## >pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep >state >pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 } >keep state > > >## DNS Replys ## >pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to >$mynet port 53 keep state > > >## Router ## >pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA >keep state > > >## Mail ## >pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep >state >pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags >S/SA keep state > > >## Web ## >pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep >state >pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep >state >--------------------------------------------- > > >As you can see, I want to block every incoming packet (if not 'passed' later >on the ruleset) to the bridge (to the network on the other side). > > >Now comes the strange part: > >Behind $web and $mail are running SSH-servers. As defined by the rules, I >don't want to allow any connection from the outside to the SSH-servers. >BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and >some _dont_ (as it supposed to be). > >The connections that are accepted (in violation with the PF-rules) to the >SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets >as denied, but doesn't block them!). > >These faults don't apply to SSH-servers only! It happens to every service on >the network. > >At least, the hosts that I have tested with are not in a specific ip-range. >I just picked some random hosts with different ip-addresses and tried to >telnet to the service-ports, with some >hosts I got a nice 'return-rst' packet, telling me that the connection is >refused. With others I got the service response. > > >I hope some of you guys can help me out. > >Please CC me as i'm not subscribed to this list. > I am new to PF and if_bridge ... so I am guessing here, but I do have first hand experience in just setting one up ... I am still playing with rulesets to get it just right ... ANYWAY ... Seems to me that if you want to just use "bridge0" that you should change your sysctl.conf net.link.bridge.pfil_member=1 to net.link.bridge.pfil_member=0 The way I have mine configured is to use the xl0 and xl1 in the rules (with pfil_member=1) ... I have seen that ftpsesame adds bridge0 rules dynamically though ... But, I don't think it's a bug ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?439F0C72.5000009>