From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:08:19 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F45E16A41A for ; Mon, 17 Sep 2007 20:08:19 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.184]) by mx1.freebsd.org (Postfix) with ESMTP id EB61313C45D for ; Mon, 17 Sep 2007 20:08:18 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so2059195mue for ; Mon, 17 Sep 2007 13:08:17 -0700 (PDT) Received: by 10.82.160.19 with SMTP id i19mr1657811bue.1190058163790; Mon, 17 Sep 2007 12:42:43 -0700 (PDT) Received: by 10.82.135.11 with HTTP; Mon, 17 Sep 2007 12:42:43 -0700 (PDT) Message-ID: <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> Date: Mon, 17 Sep 2007 16:42:43 -0300 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: <46EDE839.8060501@criticalmagic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46EDE839.8060501@criticalmagic.com> Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:08:19 -0000 On 16/09/2007, Richard Coleman wrote: > I'm setting up a filtering bridge and have a couple questions. > Hopefully someone here can help. I've looked at all the docs online > (and lots of Google searches) but there isn't much recent info on > filtering bridges. > > The setup is pretty simple: fxp0 is external and fxp1 is internal. > > # rc.conf > cloned_interfaces="bridge0" > ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" > ifconfig_fxp0="up" > ifconfig_fxp1="up" > > Question 1: In the Handbook section on bridging, it says that if you > need to setup an ip address, you should put it on the bridge interface > (bridge0). But in the OpenBSD docs on filtering bridges, they say to > put it on the inside interface. What are the consequences of doing it > either way? > > Questions 2: If I use the following pf.conf (should block everything > inbound, but allow everything outbound), I notice I'm still able to ssh > into the bridging firewall itself. Why isn't that blocked? I'm > guessing it's a consequence of the fact that I put an ip address on the > bridging interface, but I'm not sure. What am I missing? > > # pf.conf > > # interfaces > ext_if="fxp0" > int_if="fxp1" > > # options > set skip on lo0 > set block-policy drop > > # normalization > scrub in on $ext_if all > scrub out on $ext_if random-id > > # external interface, inbound > # default is to block all inbound on external interface > block in log on $ext_if all > > # external interface, outbound > block out log on $ext_if all > pass out on $ext_if proto tcp all flags S/SA keep state > pass out on $ext_if proto { udp, icmp } all keep state > > # internal interface, inbound > pass in on $int_if all > > # internal interface, outbound > pass out on $int_if all > > > Richard Coleman > rcoleman@criticalmagic.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi Richard; The first question I don't know, but the second I know. You are blocking everything: block in log on $ext_if all block out log on $ext_if all But here: pass out on $ext_if proto tcp all flags S/SA keep state pass out on $ext_if proto { udp, icmp } all keep state All the traffic going out are allowed and PF read all rules unless you use quick to stop. See here: http://www.openbsd.org/faq/pf/filter.html#intro -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com