Date: Tue, 18 Sep 2007 08:29:51 +1200 From: Andrew Thompson <thompsa@FreeBSD.org> To: Richard Coleman <rcoleman@criticalmagic.com> Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges Message-ID: <20070917202951.GF2742@heff.fud.org.nz> In-Reply-To: <46EDE839.8060501@criticalmagic.com> References: <46EDE839.8060501@criticalmagic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: > I'm setting up a filtering bridge and have a couple questions. > Hopefully someone here can help. I've looked at all the docs online > (and lots of Google searches) but there isn't much recent info on > filtering bridges. > > The setup is pretty simple: fxp0 is external and fxp1 is internal. > > # rc.conf > cloned_interfaces="bridge0" > ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" > ifconfig_fxp0="up" > ifconfig_fxp1="up" > > Question 1: In the Handbook section on bridging, it says that if you > need to setup an ip address, you should put it on the bridge interface > (bridge0). But in the OpenBSD docs on filtering bridges, they say to > put it on the inside interface. What are the consequences of doing it > either way? OpenBSD does not support adding an IP address to a bridge interface so they do not have a choice here. Assigning the IP to the bridge is the correct way do to it as it is the central piece of the setup. > Questions 2: If I use the following pf.conf (should block everything > inbound, but allow everything outbound), I notice I'm still able to ssh > into the bridging firewall itself. Why isn't that blocked? I'm > guessing it's a consequence of the fact that I put an ip address on the > bridging interface, but I'm not sure. What am I missing? > > # pf.conf > > # interfaces > ext_if="fxp0" > int_if="fxp1" > > # options > set skip on lo0 > set block-policy drop > > # normalization > scrub in on $ext_if all > scrub out on $ext_if random-id > > # external interface, inbound > # default is to block all inbound on external interface > block in log on $ext_if all This is because the _bridge_ is the interface that the packet arrives on. Think if the bridge as a fully functioning interface, what you need is: bridge_if="bridge0" block in log on $bridge_if all regards, Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070917202951.GF2742>