Michiel Kranenburg on 12/13/2005 12:07 PM wrote:
I may have found a bug in PF (in combination with if_bridge) for
FreeBSD6.0-RELEASE.
Let me explain my situation first:
The xl1 and xl2 interfaces are connected together as a bridge (bridge0).
The sysctl settings that are used:
net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_member=1
After applying these settings and configuring ifconfig, a new interface pops
up.
---------------------------------------------
bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
ether ac:de:48:8c:58:62
priority 32768 hellotime 2 fwddelay 15 maxage 20
member: xl2 flags=3<LEARNING,DISCOVER>
member: xl1 flags=3<LEARNING,DISCOVER>
---------------------------------------------
The bridge is working fine, and passes al traffic as its supposed too.
The weird thing occurs when using PF to filter the bridge.
Let me post my pf.conf first: (I did not post the declaration of variables
on top of the conf)
---------------------------------------------
scrub in all
block in log on bridge0 from any to $mynet
block return-rst in log on bridge0 proto tcp from any to $mynet
pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state
pass out on bridge0 proto {tcp,udp} from $mynet to any keep state
pass on lo0 all
## ICMP Section ##
pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep
state
pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 }
keep state
## DNS Replys ##
pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to
$mynet port 53 keep state
## Router ##
pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA
keep state
## Mail ##
pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep
state
pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags
S/SA keep state
## Web ##
pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep
state
pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep
state
---------------------------------------------
As you can see, I want to block every incoming packet (if not 'passed' later
on the ruleset) to the bridge (to the network on the other side).
Now comes the strange part:
Behind $web and $mail are running SSH-servers. As defined by the rules, I
don't want to allow any connection from the outside to the SSH-servers.
BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and
some _dont_ (as it supposed to be).
The connections that are accepted (in violation with the PF-rules) to the
SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets
as denied, but doesn't block them!).
These faults don't apply to SSH-servers only! It happens to every service on
the network.
At least, the hosts that I have tested with are not in a specific ip-range.
I just picked some random hosts with different ip-addresses and tried to
telnet to the service-ports, with some
hosts I got a nice 'return-rst' packet, telling me that the connection is
refused. With others I got the service response.
I hope some of you guys can help me out.
Please CC me as i'm not subscribed to this list.
I am new to PF and if_bridge ... so I am guessing here, but I do have
first hand experience in just setting one up ... I am still playing with
rulesets to get it just right ...
ANYWAY ...
Seems to me that if you want to just use "bridge0" that you should
change your sysctl.conf
net.link.bridge.pfil_member=1
to
net.link.bridge.pfil_member=0
The way I have mine configured is to use the xl0 and xl1 in the rules
(with pfil_member=1) ... I have seen that ftpsesame adds bridge0 rules
dynamically though ...
But, I don't think it's a bug ...
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
