Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Dec 2005 18:07:46 +0100
From:      "Michiel Kranenburg" <michiel@nl-hrln-ptgrf.net>
To:        <freebsd-pf@freebsd.org>
Subject:   Possible bug in PF with if_bridge
Message-ID:  <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net>

next in thread | raw e-mail | index | archive | help
Hello all,


I may have found a bug in PF (in combination with if_bridge) for
FreeBSD6.0-RELEASE.


Let me explain my situation first:

The xl1 and xl2 interfaces are connected together as a bridge (bridge0).

The sysctl settings that are used:
net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_member=1

After applying these settings and configuring ifconfig, a new interface pops
up.

---------------------------------------------
bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
        ether ac:de:48:8c:58:62
        priority 32768 hellotime 2 fwddelay 15 maxage 20
        member: xl2 flags=3<LEARNING,DISCOVER>
        member: xl1 flags=3<LEARNING,DISCOVER>
---------------------------------------------

The bridge is working fine, and passes al traffic as its supposed too.


The weird thing occurs when using PF to filter the bridge.
Let me post my pf.conf first: (I did not post the declaration of variables
on top of the conf) 

---------------------------------------------
scrub in all

block in log on bridge0 from any to $mynet
block return-rst in log on bridge0 proto tcp from any to $mynet

pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state
pass out on bridge0 proto {tcp,udp} from $mynet to any keep state

pass on lo0 all


## ICMP Section ##
pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep
state
pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 }
keep state


## DNS Replys ##
pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to
$mynet port 53 keep state


## Router ##
pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA
keep state


## Mail ##
pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep
state
pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags
S/SA keep state


## Web ##
pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep
state
pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep
state
---------------------------------------------


As you can see, I want to block every incoming packet (if not 'passed' later
on the ruleset) to the bridge (to the network on the other side).


Now comes the strange part:

Behind $web and $mail are running SSH-servers. As defined by the rules, I
don't want to allow any connection from the outside to the SSH-servers.
BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and
some _dont_ (as it supposed to be).

The connections that are accepted (in violation with the PF-rules) to the
SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets
as denied, but doesn't block them!).

These faults don't apply to SSH-servers only! It happens to every service on
the network.

At least, the hosts that I have tested with are not in a specific ip-range.
I just picked some random hosts with different ip-addresses and tried to
telnet to the service-ports, with some
hosts I got a nice 'return-rst' packet, telling me that the connection is
refused. With others I got the service response.


I hope some of you guys can help me out.

Please CC me as i'm not subscribed to this list.


With kind regards,
Michiel Kranenburg





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051213170450.3CD41193631>