From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:38:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A7DA16A417; Mon, 17 Sep 2007 20:38:35 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id 26A8413C45D; Mon, 17 Sep 2007 20:38:35 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.31.0.250] (unknown [64.45.160.206]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 85840BE4C; Mon, 17 Sep 2007 13:38:34 -0700 (PDT) Message-ID: <46EEE5C9.8050103@criticalmagic.com> Date: Mon, 17 Sep 2007 16:38:33 -0400 From: Richard Coleman User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Andrew Thompson References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> In-Reply-To: <20070917202951.GF2742@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:38:35 -0000 Andrew Thompson wrote: > On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote: > >> I'm setting up a filtering bridge and have a couple questions. >> Hopefully someone here can help. I've looked at all the docs online >> (and lots of Google searches) but there isn't much recent info on >> filtering bridges. >> >> The setup is pretty simple: fxp0 is external and fxp1 is internal. >> >> # rc.conf >> cloned_interfaces="bridge0" >> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" >> ifconfig_fxp0="up" >> ifconfig_fxp1="up" >> >> Question 1: In the Handbook section on bridging, it says that if you >> need to setup an ip address, you should put it on the bridge interface >> (bridge0). But in the OpenBSD docs on filtering bridges, they say to >> put it on the inside interface. What are the consequences of doing it >> either way? >> > > OpenBSD does not support adding an IP address to a bridge interface so > they do not have a choice here. Assigning the IP to the bridge is the > correct way do to it as it is the central piece of the setup. > > >> Questions 2: If I use the following pf.conf (should block everything >> inbound, but allow everything outbound), I notice I'm still able to ssh >> into the bridging firewall itself. Why isn't that blocked? I'm >> guessing it's a consequence of the fact that I put an ip address on the >> bridging interface, but I'm not sure. What am I missing? >> >> # pf.conf >> >> # interfaces >> ext_if="fxp0" >> int_if="fxp1" >> >> # options >> set skip on lo0 >> set block-policy drop >> >> # normalization >> scrub in on $ext_if all >> scrub out on $ext_if random-id >> >> # external interface, inbound >> # default is to block all inbound on external interface >> block in log on $ext_if all >> > > This is because the _bridge_ is the interface that the packet arrives > on. Think if the bridge as a fully functioning interface, what you need > is: > > bridge_if="bridge0" > block in log on $bridge_if all > > > regards, > Andrew > I was confused because the if_bridge(4) man page (for 6.2) says that traffic always passes first through the originating interface (which I took to be the external physical interface), then passes through the bridge interface, and then through all appropriate outbound interfaces. So I assumed a block rules for the first physical interface would prevent the packet from every reaching the bridge interface. Given that wording, I was confused why you would ever need to filter on the bridge interface itself. Thanks for the help. Richard Coleman rcoleman@criticalmagic.com