From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 10:27:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 015C016A41F for ; Sat, 10 Sep 2005 10:27:13 +0000 (GMT) (envelope-from stamper666@hotmail.com) Received: from hotmail.com (bay104-f36.bay104.hotmail.com [65.54.175.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8E7143D48 for ; Sat, 10 Sep 2005 10:27:12 +0000 (GMT) (envelope-from stamper666@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 10 Sep 2005 03:27:12 -0700 Message-ID: Received: from 65.54.175.206 by by104fd.bay104.hotmail.msn.com with HTTP; Sat, 10 Sep 2005 10:27:12 GMT X-Originating-IP: [65.54.175.206] X-Originating-Email: [stamper666@hotmail.com] X-Sender: stamper666@hotmail.com From: "Sean Dean" To: freebsd-pf@freebsd.org Date: Sat, 10 Sep 2005 06:27:12 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 10 Sep 2005 10:27:12.0588 (UTC) FILETIME=[3500B8C0:01C5B5F2] Subject: PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 10:27:13 -0000 Hello, Since I moved over from a OpenBSD bridge to a FreeBSD-6 one with the new bridge code I have been having some problems getting my pf.conf to fully work. I have tried all the combinations I could think of, but just cant get it right. When i first switched over, I used the exact copy of the pf.conf from the OpenBSD machine, just substituting the new device names. This didn't work at all, and I have made changes to it, possibly inserting an error on my part. I was wondering if someone could assist me? Here is my current pf.conf: ------------------------------------- set loginterface bridge0 # Turing on scrub in this config stops the bridge from working, this was not the case # in OpenBSD. So we comment it out. #scrub in on bridge0 all no-df block in log on bridge0 all pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22, 25 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80, 443 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80, 443 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 25 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags S/SA keep state pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22 } flags S/SA keep state # Bind doesn't seem to work with these rules. The request to 53 works, but # the reply, on the random, high UDP port is blocked. So we use the rule I have # further below, which allows all UDP. #pass in on bridge0 proto udp from any to 216.58.xxx.xxx port { 53 } keep state #pass in on bridge0 proto udp from any to 216.58.xxx.xxx port { 53 } keep state pass in on bridge0 proto udp from any to any keep state # The rule below doesn't seem to actually work, this might be bad placement of the # rule? I keep it in because there seems to be no negative effect. block in log on bridge0 proto udp from any to any port { 161, 514 } pass in on bridge0 inet proto icmp all icmp-type echoreq keep state pass in on bridge0 proto esp from any to any keep state # I remember seeing people saying that only "in" rules are allowed on a bridge, # although I have also seen other cases of "out" rules been applied to this new # FreeBSD bridge code. ALL TCP traffic coming from the inside is blocked, but if it originates # from the outside (example Apache, SSH login) it works fine. pass out on bridge0 proto tcp all flags S/SA keep state pass out on bridge0 proto udp all keep state pass out on bridge0 proto icmp all keep state ------------------------------------- To address the possible "in" only rule above I tried to place this in instead, but no change, outgoing traffic was blocked originating from the inside: pass in on bridge0 proto tcp from 216.58.xxx.xxx/26 to any keep state I thank you in advance for any help you can provide. I probably did something wrong above that is causing these problems, but I cant figure it out and look to you all for advise. Thanks, Sean