Date: Wed, 20 Nov 2002 20:56:37 +0100 From: Stephan Eckner <stephan-freebsd-security@eckner.org> To: freebsd-security@FreeBSD.org Subject: Blocking non-IP traffic on an IPFW-Bridge Message-ID: <20021120195637.GA11520@knuth.codeblau.de>
next in thread | raw e-mail | index | archive | help
Hi, I recently set up a bridging-firewall to protect some servers on my internal net. The bridge is correctly blocking all IP-traffic. Nevertheless I find some packets behind the firewall, that seem to have passed the firewall: tcpdump: listening on bge0 20:36:50.247555 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:52.251387 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:54.146709 12.00:02:55:9c:26:ce.453 > 12.ff:ff:ff:ff:ff:ff.453:ipx-rip-resp 1004/1.2 13/1.2 99/1.2 1003/2.3 5/2.3 6/2.3[|ipx 248] 20:36:54.246443 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:54.412285 CDP v2, ttl=180s DevID '17-3-[2731]' Addr (1): IPv4 10.0.12.243 PortID 'FastEthernet0/4' CAP 0x0a[|cdp] 20:36:56.246483 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:57.023039 12.00:01:e6:71:9c:33.452 > 12.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64] 20:36:58.248710 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:37:00.247279 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 This looks like non-IP traffic to me. As I'm seeing these packets on both the external interface of the firewall and on the server behind the firewall, they don't seem to be blocked by my "deny ip from any to any" rule. Is there any way to block these packets from crossing the bridge? Stephan -- Stephan Eckner http://www.eckner.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021120195637.GA11520>