Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Nov 2002 20:56:37 +0100
From:      Stephan Eckner <stephan-freebsd-security@eckner.org>
To:        freebsd-security@FreeBSD.org
Subject:   Blocking non-IP traffic on an IPFW-Bridge
Message-ID:  <20021120195637.GA11520@knuth.codeblau.de>
next in thread | raw e-mail | index | archive | help 
Hi,

I recently set up a bridging-firewall to protect some servers on my internal 
net. The bridge is correctly blocking all IP-traffic. Nevertheless I find
some packets behind the firewall, that seem to have passed the firewall:

tcpdump: listening on bge0
20:36:50.247555 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 
20:36:52.251387 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 
20:36:54.146709 12.00:02:55:9c:26:ce.453 > 12.ff:ff:ff:ff:ff:ff.453:ipx-rip-resp 1004/1.2 13/1.2 99/1.2 1003/2.3 5/2.3 6/2.3[|ipx 248]
20:36:54.246443 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 
20:36:54.412285 CDP v2, ttl=180s DevID '17-3-[2731]' Addr (1): IPv4 10.0.12.243 PortID 'FastEthernet0/4' CAP 0x0a[|cdp]
20:36:56.246483 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:57.023039 12.00:01:e6:71:9c:33.452 > 12.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64]
20:36:58.248710 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:37:00.247279 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15

This looks like non-IP traffic to me. As I'm seeing these packets on both 
the external interface of the firewall and on the server behind the firewall,
they don't seem to be blocked by my "deny ip from any to any" rule.

Is there any way to block these packets from crossing the bridge?

Stephan

-- 
Stephan Eckner                                           http://www.eckner.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021120195637.GA11520>