From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 03:26:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5402316A4CE for ; Thu, 2 Dec 2004 03:26:01 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86CCE43D2F for ; Thu, 2 Dec 2004 03:26:00 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB23PBAh062923 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 12:25:11 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB23Pv6n012496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 12:25:57 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB23Pvog012495; Thu, 2 Dec 2004 12:25:57 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 2 Dec 2004 12:25:57 +0900 From: Pyun YongHyeon To: Cl?ment MOULIN Message-ID: <20041202032557.GB12155@kt-is.co.kr> References: <20041201110912.GA9840@kt-is.co.kr> <200412011320.iB1DKaAf028201@ns.kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200412011320.iB1DKaAf028201@ns.kt-is.co.kr> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 03:26:01 -0000 On Wed, Dec 01, 2004 at 02:20:40PM +0100, Cl?ment MOULIN wrote: > > Pyun YongHyeon wrote: > >Both pf and ipf can't create *states* in bridge mode. That restriction > comes from bridge(4). Since pf/ipf couldn't create states it will drop the > packet when it thinks the packet is in out of TCP window. > > > >If you want to use pf/ipf in bridge mode, don't use stateful inspection. > >One more note: filtering works only for inbound traffics in bridge mode. > > > If you're right, it SHOULD really be specified in bridge(4), but I'm not > very sure about this, since I see states with pfctl and no packets are > dropped in my case (except maybe in scp from internet to sr01) ! > Are you sure you can see *states* with "pfctl -ss"? Both pf/ipf can't create states since it couldn't see ANY outbound packets in bridge environments. In jail(fw01), you can see states since packets go through L3 hook points. > Finally, I have found the main problem. Both for ipf/pf, I have to set > sysctl "net.link.ether.bridge.ipf" to 1... That does'nt exists on FreeBSD > 4X. After that, incoming traffic is filtered (accounting works, blocking > rules too). Yes, incoming poackets only in bridged setup. > We REALLY need to specify this in FreeBSD handbook (sections 14.9 - > firewalls and 24.5.4 - bridging) and Migration Guide of 5X, since it could > be a big security hole. > Agreed. We need more clear documentations for pf/ipf in bridge environments. > My last problem is that scping from sr01 to internet that stalled after > 144KB exactly (internet to sr01 works) ! This is a pf issue, since it occurs > only when pf is enabled. > For states created by pf without seeing the first SYN packet, its connection is fragile. Since pf didn't see options like window scale pf will drop the connection eventually when it thinks the sequence number of the packet is in out of TCP window. The duration of the connection depends on your application/setup etc. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org