From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 13:21:02 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA54416A4CE for ; Wed, 1 Dec 2004 13:21:02 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id F2A3143D6D for ; Wed, 1 Dec 2004 13:21:01 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 83376 invoked by uid 98); 1 Dec 2004 13:21:01 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.272442 secs); 01 Dec 2004 13:21:01 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.272442 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 1 Dec 2004 13:21:00 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: Date: Wed, 1 Dec 2004 14:20:40 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTXljgh4n2iD0UOSEOlZ+4RX159/QABtdlw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20041201110912.GA9840@kt-is.co.kr> X-Qmail-Scanner-Message-ID: <110190726069883358@xeon-web.ouestil.com> Message-Id: <20041201132101.F2A3143D6D@mx1.FreeBSD.org> cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 13:21:03 -0000 Pyun YongHyeon wrote: >Both pf and ipf can't create *states* in bridge mode. That restriction comes from bridge(4). Since pf/ipf couldn't create states it will drop the packet when it thinks the packet is in out of TCP window. > >If you want to use pf/ipf in bridge mode, don't use stateful inspection. >One more note: filtering works only for inbound traffics in bridge mode. If you're right, it SHOULD really be specified in bridge(4), but I'm not very sure about this, since I see states with pfctl and no packets are dropped in my case (except maybe in scp from internet to sr01) ! Finally, I have found the main problem. Both for ipf/pf, I have to set sysctl "net.link.ether.bridge.ipf" to 1... That does'nt exists on FreeBSD 4X. After that, incoming traffic is filtered (accounting works, blocking rules too). We REALLY need to specify this in FreeBSD handbook (sections 14.9 - firewalls and 24.5.4 - bridging) and Migration Guide of 5X, since it could be a big security hole. My last problem is that scping from sr01 to internet that stalled after 144KB exactly (internet to sr01 works) ! This is a pf issue, since it occurs only when pf is enabled. -- Clement Moulin SimpleRezo - Simplifiez-vous le reseau ! Web: http://www.simplerezo.com/