Date: Tue, 13 Dec 2005 18:07:46 +0100 From: "Michiel Kranenburg" <michiel@nl-hrln-ptgrf.net> To: <freebsd-pf@freebsd.org> Subject: Possible bug in PF with if_bridge Message-ID: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net>
next in thread | raw e-mail | index | archive | help
Hello all, I may have found a bug in PF (in combination with if_bridge) for FreeBSD6.0-RELEASE. Let me explain my situation first: The xl1 and xl2 interfaces are connected together as a bridge (bridge0). The sysctl settings that are used: net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=1 After applying these settings and configuring ifconfig, a new interface pops up. --------------------------------------------- bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500 ether ac:de:48:8c:58:62 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: xl2 flags=3<LEARNING,DISCOVER> member: xl1 flags=3<LEARNING,DISCOVER> --------------------------------------------- The bridge is working fine, and passes al traffic as its supposed too. The weird thing occurs when using PF to filter the bridge. Let me post my pf.conf first: (I did not post the declaration of variables on top of the conf) --------------------------------------------- scrub in all block in log on bridge0 from any to $mynet block return-rst in log on bridge0 proto tcp from any to $mynet pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state pass out on bridge0 proto {tcp,udp} from $mynet to any keep state pass on lo0 all ## ICMP Section ## pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep state pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 } keep state ## DNS Replys ## pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to $mynet port 53 keep state ## Router ## pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA keep state ## Mail ## pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep state pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags S/SA keep state ## Web ## pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep state pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep state --------------------------------------------- As you can see, I want to block every incoming packet (if not 'passed' later on the ruleset) to the bridge (to the network on the other side). Now comes the strange part: Behind $web and $mail are running SSH-servers. As defined by the rules, I don't want to allow any connection from the outside to the SSH-servers. BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and some _dont_ (as it supposed to be). The connections that are accepted (in violation with the PF-rules) to the SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets as denied, but doesn't block them!). These faults don't apply to SSH-servers only! It happens to every service on the network. At least, the hosts that I have tested with are not in a specific ip-range. I just picked some random hosts with different ip-addresses and tried to telnet to the service-ports, with some hosts I got a nice 'return-rst' packet, telling me that the connection is refused. With others I got the service response. I hope some of you guys can help me out. Please CC me as i'm not subscribed to this list. With kind regards, Michiel Kranenburg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051213170450.3CD41193631>