Date: Mon, 17 Sep 2007 17:59:01 -0400 From: Richard Coleman <rcoleman@criticalmagic.com> To: Andrew Thompson <thompsa@FreeBSD.org> Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges Message-ID: <46EEF8A5.10402@criticalmagic.com> In-Reply-To: <20070917204318.GB9614@heff.fud.org.nz> References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Thompson wrote: > On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard Coleman wrote: > >> Andrew Thompson wrote: >> >>> On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: >>> >>> >>>> Question 1: In the Handbook section on bridging, it says that if you >>>> need to setup an ip address, you should put it on the bridge interface >>>> (bridge0). But in the OpenBSD docs on filtering bridges, they say to >>>> put it on the inside interface. What are the consequences of doing it >>>> either way? >>>> >>>> >>> OpenBSD does not support adding an IP address to a bridge interface so >>> they do not have a choice here. Assigning the IP to the bridge is the >>> correct way do to it as it is the central piece of the setup. >>> >>> >>> >>>> Questions 2: If I use the following pf.conf (should block everything >>>> inbound, but allow everything outbound), I notice I'm still able to ssh >>>> into the bridging firewall itself. Why isn't that blocked? I'm >>>> guessing it's a consequence of the fact that I put an ip address on the >>>> bridging interface, but I'm not sure. What am I missing? >>>> >>>> >>>> >>> This is because the _bridge_ is the interface that the packet arrives >>> on. Think if the bridge as a fully functioning interface, what you need >>> is: >>> >>> bridge_if="bridge0" >>> block in log on $bridge_if all >>> >>> >>> regards, >>> Andrew >>> >>> >> I was confused because the if_bridge(4) man page (for 6.2) says that >> traffic always passes first through the originating interface (which I >> took to be the external physical interface), then passes through the >> bridge interface, and then through all appropriate outbound interfaces. >> So I assumed a block rules for the first physical interface would >> prevent the packet from every reaching the bridge interface. >> >> Given that wording, I was confused why you would ever need to filter on >> the bridge interface itself. >> > > I see where the confusion comes in then. That particular section refers > to the bridge forwarding packets, anything that is destined for the > local host is tapped off early and handled specially. I welcome any > wording changes on the man page. > > > cheers, > Andrew > That greatly clarifies things. Thanks for the help. Richard Coleman rcoleman@criticalmagic.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46EEF8A5.10402>