Date: Wed, 1 Dec 2004 05:51:35 +0100 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= <cmoulin@simplerezo.com> To: <freebsd-pf@freebsd.org>, <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: FreeBSD bridge + filtering, BIG problem Message-ID: <20041201045203.262D443D5C@mx1.FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi,
I'm afraid about having find a freebsd 5X security issue.
We have recently upgraded one gateway from 4.10 to 5.3... Following =
network
used:
=20
[ISP]--xl1--[FW01]-----xl0--em0--[SR01]
|
|--fxp0--em0--[SR02]
On fw01, we have one jail.
=20
So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works =
(before
and after upgrade).
On 4.10, we used IPFilter as firewall and for network traffic =
accounting.
Since upgrade, INCOMING traffic accounting does not work anymore =
(OUTGOING
working fine)...
Thinking this can be a ipfilter issue, and because we are planning to =
change
for great OpenBSD pf, we have try to do accounting with pf... but same
behaviour occurs (tests have be done with big files).
From/to inet fw01 jail sr01 sr02
Internet - ok ok KO KO
Fw01 ok - ok ok ok
Jail ok ok - ok ok
Sr01 KO* ok ok - KO
Sr02 KO* ok ok KO -
* with pf enabled, scp connexion going "stalled" very quickly (stop =
between
100 and 300 Kb of traffic)
Worst thing, the "default rule" accounting (any to any) does not report
"unreported" traffic... feels like rules are not processed. So I =
deciding to
make another test with pf.
Adding "block in quick proto tcp from any to [jail_port] port smtp";
Testing: works fine.
But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
from internet, fw01 or sr02, we can connect to the tcp port
!!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs =
with
IPF!!!!!!!!
Details
fw01: running FreeBSD 5.3, GENERIC kernel, with modules =3D acpi, ipl, =
bridge,
nullfs and pf.
Sr01: FreeBSD 5.2.1, custom kernel
Sr02: FreeBSD 5.3, GENERIC kernel
------------------------------------pf.conf
set loginterface fxp1
jail=3D**IP**
sr01=3D**IP**
sr02=3D**IP**
#block in quick proto tcp from any to $sr01 port smtp
pass quick from any to $jail keep state label 0
pass quick from $jail to any keep state label 1
pass quick from any to $sr02 keep state label 6
pass quick from $sr02 to any keep state label 7
pass quick from any to $sr01 keep state label 10
pass quick from $sr01 to any keep state label 11
pass all
------------------------------------
Seems to be bridge freebsd 5.3 support related...=20
Can someone take a look at this? Thanks!
--
Cl=E9ment Moulin
SimpleRezo - Simplifiez-vous le r=E9seau !
T=E9l.: +33 871 763 102 - Web: http://www.simplerezo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041201045203.262D443D5C>