Date: Sun, 16 Sep 2007 22:36:41 -0400 From: Richard Coleman <rcoleman@criticalmagic.com> To: freebsd-pf@freebsd.org Subject: Questions about filtering bridges Message-ID: <46EDE839.8060501@criticalmagic.com>
next in thread | raw e-mail | index | archive | help
I'm setting up a filtering bridge and have a couple questions. Hopefully someone here can help. I've looked at all the docs online (and lots of Google searches) but there isn't much recent info on filtering bridges. The setup is pretty simple: fxp0 is external and fxp1 is internal. # rc.conf cloned_interfaces="bridge0" ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" ifconfig_fxp0="up" ifconfig_fxp1="up" Question 1: In the Handbook section on bridging, it says that if you need to setup an ip address, you should put it on the bridge interface (bridge0). But in the OpenBSD docs on filtering bridges, they say to put it on the inside interface. What are the consequences of doing it either way? Questions 2: If I use the following pf.conf (should block everything inbound, but allow everything outbound), I notice I'm still able to ssh into the bridging firewall itself. Why isn't that blocked? I'm guessing it's a consequence of the fact that I put an ip address on the bridging interface, but I'm not sure. What am I missing? # pf.conf # interfaces ext_if="fxp0" int_if="fxp1" # options set skip on lo0 set block-policy drop # normalization scrub in on $ext_if all scrub out on $ext_if random-id # external interface, inbound # default is to block all inbound on external interface block in log on $ext_if all # external interface, outbound block out log on $ext_if all pass out on $ext_if proto tcp all flags S/SA keep state pass out on $ext_if proto { udp, icmp } all keep state # internal interface, inbound pass in on $int_if all # internal interface, outbound pass out on $int_if all Richard Coleman rcoleman@criticalmagic.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46EDE839.8060501>