From owner-freebsd-pf@FreeBSD.ORG  Wed Dec  1 11:09:20 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9365416A4CF
	for <freebsd-pf@freebsd.org>; Wed,  1 Dec 2004 11:09:20 +0000 (GMT)
Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2055E43D41
	for <freebsd-pf@freebsd.org>; Wed,  1 Dec 2004 11:09:20 +0000 (GMT)
	(envelope-from yongari@kt-is.co.kr)
Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193])
	(authenticated bits=128)
	by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB1B8gAh022558
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Wed, 1 Dec 2004 20:08:42 +0900 (KST)
Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1])
	by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB1B9IUf010003
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 1 Dec 2004 20:09:18 +0900 (KST)
	(envelope-from yongari@kt-is.co.kr)
Received: (from yongari@localhost)
	by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB1B9CfA010002;
	Wed, 1 Dec 2004 20:09:12 +0900 (KST)
	(envelope-from yongari@kt-is.co.kr)
Date: Wed, 1 Dec 2004 20:09:12 +0900
From: Pyun YongHyeon <yongari@kt-is.co.kr>
To: Cl?ment MOULIN <cmoulin@simplerezo.com>
Message-ID: <20041201110912.GA9840@kt-is.co.kr>
References: <20041201045203.262D443D5C@mx1.FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041201045203.262D443D5C@mx1.FreeBSD.org>
User-Agent: Mutt/1.4.2.1i
X-Filter-Version: 1.11a (ns.kt-is.co.kr)
cc: freebsd-pf@freebsd.org
Subject: Re: FreeBSD bridge + filtering, BIG problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: yongari@kt-is.co.kr
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2004 11:09:20 -0000

On Wed, Dec 01, 2004 at 05:51:35AM +0100, Cl?ment MOULIN wrote:
 > Hi,
 > 
 > I'm afraid about having find a freebsd 5X security issue.
 > 
 > We have recently upgraded one gateway from 4.10 to 5.3... Following network
 > used:
 >  
 > [ISP]--xl1--[FW01]-----xl0--em0--[SR01]
 >                     |
 >                     |--fxp0--em0--[SR02]
 > 
 > On fw01, we have one jail.
 >  
 > So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before
 > and after upgrade).
 > On 4.10, we used IPFilter as firewall and for network traffic accounting.
 > Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING
 > working fine)...
 > 
 > Thinking this can be a ipfilter issue, and because we are planning to change
 > for great OpenBSD pf, we have try to do accounting with pf... but same
 > behaviour occurs (tests have be done with big files).
 > 
 > From/to	inet	fw01	jail	sr01	sr02
 > Internet	-	ok	ok	KO	KO
 > Fw01		ok	-	ok	ok	ok
 > Jail		ok	ok	-	ok	ok
 > Sr01		KO*	ok	ok	-	KO
 > Sr02		KO*	ok	ok	KO	-
 > 
 > * with pf enabled, scp connexion going "stalled" very quickly (stop between
 > 100 and 300 Kb of traffic)
 > 
 > 
 > Worst thing, the "default rule" accounting (any to any) does not report
 > "unreported" traffic... feels like rules are not processed. So I deciding to
 > make another test with pf.
 > 
 > Adding "block in quick proto tcp from any to [jail_port] port smtp";
 > Testing: works fine.
 > But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
 > from internet, fw01 or sr02, we can connect to the tcp port
 > !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with
 > IPF!!!!!!!!
 > 
 > 
 > 
 > Details
 > fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge,
 > nullfs and pf.
 > Sr01: FreeBSD 5.2.1, custom kernel
 > Sr02: FreeBSD 5.3, GENERIC kernel
 > 
 > ------------------------------------pf.conf
 > set loginterface fxp1
 > 
 > jail=**IP**
 > sr01=**IP**
 > sr02=**IP**
 > 
 > #block in quick proto tcp from any to $sr01 port smtp
 > 
 > pass quick from any to $jail keep state label 0
 > pass quick from $jail to any keep state label 1
 > pass quick from any to $sr02 keep state label 6
 > pass quick from $sr02 to any keep state label 7
 > pass quick from any to $sr01 keep state label 10
 > pass quick from $sr01 to any keep state label 11
 > 
 > pass all
 > ------------------------------------
 > 
 > 
 > Seems to be bridge freebsd 5.3 support related... 
 > Can someone take a look at this? Thanks!
 > 

Both pf and ipf can't create *states* in bridge mode. That restriction
comes from bridge(4). Since pf/ipf couldn't create states it will
drop the packet when it thinks the packet is in out of TCP window.

If you want to use pf/ipf in bridge mode, don't use stateful inspection.
One more note: filtering works only for inbound traffics in bridge mode.

-- 
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari	|	yongari@freebsd.org