From owner-freebsd-pf@FreeBSD.ORG Mon Oct 8 10:48:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1319116A418 for ; Mon, 8 Oct 2007 10:48:51 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id C50B013C459 for ; Mon, 8 Oct 2007 10:48:50 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 42DB92F600 for ; Mon, 8 Oct 2007 06:48:50 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Mon, 08 Oct 2007 06:48:50 -0400 X-Sasl-enc: p8n1cvEoqzZkt7mzLapXLxsXnIgXnhofnUAJ5V7pW0Cn 1191840529 Received: from [192.168.1.101] (unknown [193.239.254.142]) by mail.messagingengine.com (Postfix) with ESMTP id B662D18F45 for ; Mon, 8 Oct 2007 06:48:49 -0400 (EDT) Message-ID: <470A0B00.2040606@casino.uni-stuttgart.de> Date: Mon, 08 Oct 2007 13:48:32 +0300 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de> In-Reply-To: <4701FAD7.4050600@casino.uni-stuttgart.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Filtering bridge plus router - further interface woes X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2007 10:48:51 -0000 Dear list, I have now applied the phys_local_phys patch on 6.2, which does its job for inbound packets to the local firewall, but I am still not able to see outbound packets on the physical interfaces. As a reminder, my firewall is bridging between various logical segments of our internal net, which consists of only 1 IP subnet, and is also acting as a router for the entire external net: bridge0 = em0, em1 (various logical segments of our internal net) bridge0 has IP x.x.x.254 (gateway for our internal net) em2 is the external interface and has IP x.x.y.123 I used "log-all" type rules to find out which interfaces the packets run through from pf's perspective. Let's consider a ssh connection from an outside computer O connected to em2 to an inside computer I connected to em0. Packets from O to I will appear, in order, on the interfaces em2, bridge0 Packets from I to O will appear, in order, on the interfaces em0, bridge0, em2 What I would like to have is to see the packet from O to I also on em0, and I would not like to see bridge0 /at all/. I have played around with the other sysctl variables. It turnes out, that setting pfil_bridge to 0 makes "em2" disappear from the list above, but bridge 0 remains, which I think is counter-intuitive or maybe even a bug. Setting pfil_member to 0 does not make any difference. Are there any further patches from -CURRENT that would make such a behaviour possible? Also, I wonder whether I could use "synproxy state" for connections from O to I. I know that "synproxy state" does not work for bridges, but those packets are arriving on em2 which is not member of the bridge and are then being routed before being put on the bridge, so there should be a possibility for proxying. However, packets still don't get through when I change a "keep state" rule to "synproxy state". TIA Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de