Date: Mon, 17 Sep 2007 16:42:43 -0300 From: "Gilberto Villani Brito" <linux@giboia.org> To: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges Message-ID: <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> In-Reply-To: <46EDE839.8060501@criticalmagic.com> References: <46EDE839.8060501@criticalmagic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16/09/2007, Richard Coleman <rcoleman@criticalmagic.com> wrote:
> I'm setting up a filtering bridge and have a couple questions.
> Hopefully someone here can help. I've looked at all the docs online
> (and lots of Google searches) but there isn't much recent info on
> filtering bridges.
>
> The setup is pretty simple: fxp0 is external and fxp1 is internal.
>
> # rc.conf
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up"
> ifconfig_fxp0="up"
> ifconfig_fxp1="up"
>
> Question 1: In the Handbook section on bridging, it says that if you
> need to setup an ip address, you should put it on the bridge interface
> (bridge0). But in the OpenBSD docs on filtering bridges, they say to
> put it on the inside interface. What are the consequences of doing it
> either way?
>
> Questions 2: If I use the following pf.conf (should block everything
> inbound, but allow everything outbound), I notice I'm still able to ssh
> into the bridging firewall itself. Why isn't that blocked? I'm
> guessing it's a consequence of the fact that I put an ip address on the
> bridging interface, but I'm not sure. What am I missing?
>
> # pf.conf
>
> # interfaces
> ext_if="fxp0"
> int_if="fxp1"
>
> # options
> set skip on lo0
> set block-policy drop
>
> # normalization
> scrub in on $ext_if all
> scrub out on $ext_if random-id
>
> # external interface, inbound
> # default is to block all inbound on external interface
> block in log on $ext_if all
>
> # external interface, outbound
> block out log on $ext_if all
> pass out on $ext_if proto tcp all flags S/SA keep state
> pass out on $ext_if proto { udp, icmp } all keep state
>
> # internal interface, inbound
> pass in on $int_if all
>
> # internal interface, outbound
> pass out on $int_if all
>
>
> Richard Coleman
> rcoleman@criticalmagic.com
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Hi Richard;
The first question I don't know, but the second I know.
You are blocking everything:
block in log on $ext_if all
block out log on $ext_if all
But here:
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
All the traffic going out are allowed and PF read all rules unless you
use quick to stop.
See here:
http://www.openbsd.org/faq/pf/filter.html#intro
--
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6e6841490709171242v61126706l782b7daec7ef3064>