Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Jul 2020 22:44:12 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        Ultima <ultima1252@gmail.com>
Cc:        pf@freebsd.org
Subject:   Re: The best of both worlds =?utf-8?q?=E2=80=9Cusing?= mac filtering in =?utf-8?q?pf=E2=80=9D?=
Message-ID:  <AD3C9942-83F1-4E61-B1F2-2A00FA125B4A@FreeBSD.org>
In-Reply-To: <CANJ8om7c81-n1tWawSSACSTUQ9DhCB72jPoXDOHx5Tojnt5xXQ@mail.gmail.com>
References:  <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl> <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org> <CANJ8om7c81-n1tWawSSACSTUQ9DhCB72jPoXDOHx5Tojnt5xXQ@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 10 Jul 2020, at 22:37, Ultima wrote:
> Hey Kristof,
>
>
>> (It’s already possible to use pf on top of a bridge in
>> bump-in-the-wire mode. Given the gotchas in that code I **strongly**
>> recommend people don’t use that functionality.)
>>
>>
> Do you mind going into details on the gotchas or providing links?
>
I am reluctant to, because people will delude themselves into believing 
they can avoid the landmines.

The entire way this feature is implemented is wrong, and you cannot 
reliably avoid the landmines. If you use it at some point you will find 
yourself spread out over the landscape.

That said, very briefly, (and understand that it **will** blow up in 
your face when it’s most annoying): the way this feature works is by 
stripping off the ethernet header, passing the IP packet to pf, and then 
re-adding the ethernet header once pf is done with it.

This explodes spectacularly if you do something that causes the packet 
to not be returned by pf, such as a route-to/reply-to rule, or anytime 
IPv6 fragmentation is involved.

Best regards,
Kristof
From owner-freebsd-pf@freebsd.org  Fri Jul 10 21:04:41 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 20967373A51
 for <freebsd-pf@mailman.nyi.freebsd.org>; Fri, 10 Jul 2020 21:04:41 +0000 (UTC)
 (envelope-from l.m.v.breda@xs4all.nl)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 4B3QXS5F6jz3g3L
 for <freebsd-pf@freebsd.org>; Fri, 10 Jul 2020 21:04:40 +0000 (UTC)
 (envelope-from l.m.v.breda@xs4all.nl)
Received: by mailman.nyi.freebsd.org (Postfix)
 id B3D7E373A50; Fri, 10 Jul 2020 21:04:40 +0000 (UTC)
Delivered-To: pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B39B8373A4F
 for <pf@mailman.nyi.freebsd.org>; Fri, 10 Jul 2020 21:04:40 +0000 (UTC)
 (envelope-from l.m.v.breda@xs4all.nl)
Received: from lb3-smtp-cloud9.xs4all.net (lb3-smtp-cloud9.xs4all.net
 [194.109.24.30])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.xs4all.net",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B3QXQ5sJ0z3fvC
 for <pf@freebsd.org>; Fri, 10 Jul 2020 21:04:38 +0000 (UTC)
 (envelope-from l.m.v.breda@xs4all.nl)
Received: from cust-f904f3c0 ([IPv6:fc0c:c196:282b:f540:9d4d:c9e0:ed11:38c0])
 by smtp-cloud9.xs4all.net with ESMTPSA
 id u0CBjwPYQ5flqu0CCjpZu7; Fri, 10 Jul 2020 23:04:37 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xs4all.nl; s=s1;
 t=1594415077; bh=s4QCCTlsCOpMJacfbIbSMftHarO0xenBJZelnFxw1Vk=;
 h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:From:
 Subject;
 b=tite40aMCZSTx437iKn4FXuf4PNEP0/Y8OkOesMhyw0KmUg6AsdoyYCuOiYIiOZnl
 609jDHf5yPhmrky/bN+edXfoYWevTGEcAQFsSct8N/L3F1yp370JPhfnLH1/TWugVI
 7FLNS65LTaA9LF9YS0W15FF7FJeOqKxLDnAOsmKdHsq8kj2rscC5DqpZxtEtRyIbSb
 4wTGlr9eqr9iAIvGxXhehKnlNH78LCNs87lLSNwmrcsda7ALGLsJHZXUOP8RMBChti
 TSDO0v1AD9RayCLz4fmWZuCC2l/8hIxdIgOJfq2w9FcpwO7OhrWGWeDAR3DDGYWyFM
 xIyiCO+Nw74pA==
From: <l.m.v.breda@xs4all.nl>
To: "'Ultima'" <ultima1252@gmail.com>
Cc: <pf@freebsd.org>
References: <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl>
 <CANJ8om4aOTgwBc+Y9w5P5ed37LT-HB-tRXc70LeoUoq0Egcevw@mail.gmail.com>
In-Reply-To: <CANJ8om4aOTgwBc+Y9w5P5ed37LT-HB-tRXc70LeoUoq0Egcevw@mail.gmail.com>
Subject: =?utf-8?Q?RE:_The_best_of_both_worlds_=E2=80=9Cusi?=
 =?utf-8?Q?ng_mac_filtering_in_pf=E2=80=9D?=
Date: Fri, 10 Jul 2020 23:04:35 +0200
Message-ID: <000601d656fd$b7d17340$277459c0$@xs4all.nl>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLxiL30rSTlD6vmnNREx5jEu2X24gJG2oc+privb1A=
Content-Language: nl
X-CMAE-Envelope: MS4wfFXa04jWXSr3XNncKZ5hzZhxenDERl4tYV3CvgiaAIuaInmUQD9iM90CaP2tEvxhEjEgIDUOOVORrAkuAUhJDGvpx0Uvux1OYXe2VQo9rG9/AaAZDqH0
 BS41KFShxvKmCQU7z1vB8PU28eoEikVHdEcCdf65CZWQgHPdjpNPflmN83jlGFVYrnHOhoD92nr2lvwtFarnoY8waftsmVRdz7oorv0t4SYywFnvU5NmnriH
 ZXQY2fdktDD5wPZ96EIBpA==
X-Rspamd-Queue-Id: 4B3QXQ5sJ0z3fvC
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=xs4all.nl header.s=s1 header.b=tite40aM;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of l.m.v.breda@xs4all.nl designates
 194.109.24.30 as permitted sender) smtp.mailfrom=l.m.v.breda@xs4all.nl
X-Spamd-Result: default: False [-3.08 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:194.109.24.0/24:c];
 FREEMAIL_FROM(0.00)[xs4all.nl];
 RWL_MAILSPIKE_GOOD(0.00)[194.109.24.30:from];
 DKIM_TRACE(0.00)[xs4all.nl:+]; RCPT_COUNT_TWO(0.00)[2];
 NEURAL_HAM_SHORT(-0.57)[-0.567]; FREEMAIL_TO(0.00)[gmail.com];
 RCVD_IN_DNSWL_LOW(-0.10)[194.109.24.30:from];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[xs4all.nl]; MID_RHS_MATCH_FROM(0.00)[];
 DWL_DNSWL_NONE(0.00)[xs4all.nl:dkim]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.90)[-0.899];
 R_DKIM_ALLOW(-0.20)[xs4all.nl:s=s1];
 ASN(0.00)[asn:3265, ipnet:194.109.0.0/16, country:NL];
 NEURAL_HAM_LONG(-1.01)[-1.013];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 DMARC_NA(0.00)[xs4all.nl]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 FROM_NO_DN(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 RCVD_TLS_ALL(0.00)[]
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 21:04:41 -0000

Hello,

 =EF=BF=BD

Seeing the reactions, I think did not describe my problem good enough. =
So here a better problem description.

 =EF=BF=BD

 =EF=BF=BD

An IPV6-device has many IPV6 addresses. Among them temporary addresses =
and autogenerated addresses. This partly because of privacy concerns.

 =EF=BF=BD

So if an IPV6-device starts an connection with e.g. a temporary address =
the firewall does not know that address. As a consequence filtering the =
outgoing traffic of that specific device is not possible.

 =EF=BF=BD

So given that situation you / the firewall need something else to filter =
on. And the intention is to use the device mac-address for that. That is =
not that special. Other firewalls can do that as well (to a certain =
extend even the OpenBSD pf version).

 =EF=BF=BD

So the intention is not to do level-2 filtering, the intention is just =
to use the level-2 address as alternative for the unknown IPV6-address, =
for level-3 filtering.

 =EF=BF=BD

Not different from IPV4-firewall rules using an IPV4-address to block or =
pass incoming or outgoing traffic.

 =EF=BF=BD

Hope this clarify thinks.

 =EF=BF=BD

 =EF=BF=BD

Louis  =20

 =EF=BF=BD

From: Ultima <ultima1252@gmail.com>=20
Sent: Friday, July 10, 2020 10:31 PM
To: l.m.v.breda@xs4all.nl
Cc: pf@freebsd.org
Subject: Re: The best of both worlds =E2=80=9Cusing mac filtering in =
pf=E2=80=9D

 =EF=BF=BD

Please go in detail about this issue on why you would need to filter =
layer 2.

 =EF=BF=BD

I see very little benefit to having the ability to filter on layer 2 =
except in some very special cases and IPv6 isn't one of them that I'm =
aware of.

 =EF=BF=BD

Best regards,

Richard Gallamore

 =EF=BF=BD

On Fri, Jul 10, 2020 at 10:57 AM <l.m.v.breda@xs4all.nl =
<mailto:l.m.v.breda@xs4all.nl> > wrote:

Hello,

I am using pfSense, build on top of pf. And of course pfSense/pf is a =
terrific firewall, however the world is changing in the direction of =
IPV6 and that leads to new issues and related new requirements.

One of the major issues is that IPV6 does not provide a stable source =
address you can use to filter in your firewall.=20

Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as =
a way around this issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot =
provide that functionality, since it is built on top of =
=E2=80=A6=E2=80=A6 pf.

Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. =
suppose that pfSense would have been built on top of OpenBSD, still =
using pf =E2=80=A6=E2=80=A6=E2=80=A6. That had been possible =
=E2=80=A6=E2=80=A6.

So as user I would be very pleased if there could be a joined =
=E2=80=9Cpf-release=E2=80=9D having *best of both worlds* !!!!

Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD =
=EF=BF=BD=20

step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag =
<sometag>
step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy =
based rule)

would have been an option, =E2=80=A6. not saying it is the best option =
=E2=80=A6.. =EF=BF=BD =EF=BF=BDbetter option would be if pf could set =
the tag itself

Whatever please consider adding this functionality to pf preferable on =
short term, since IPV6 is fast becoming very important!

Sincerely,

 =EF=BF=BD=EF=BF=BD

Louis

PS =E2=80=A6 should I raise an feature request for this?

 =EF=BF=BD=EF=BF=BD

_______________________________________________
freebsd-pf@freebsd.org <mailto:freebsd-pf@freebsd.org>  mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org =
<mailto:freebsd-pf-unsubscribe@freebsd.org> "




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AD3C9942-83F1-4E61-B1F2-2A00FA125B4A>