From owner-freebsd-pf@FreeBSD.ORG Tue Oct 2 08:01:39 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E279C16A418 for ; Tue, 2 Oct 2007 08:01:39 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9B10313C480 for ; Tue, 2 Oct 2007 08:01:39 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id D6A472FEB0 for ; Tue, 2 Oct 2007 04:01:37 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 02 Oct 2007 04:01:37 -0400 X-Sasl-enc: yNs4nVwnuCZL7iuyoAnzYUIdDdv10DBaxkqFk2ZsOPt9 1191312097 Received: from [192.168.1.101] (unknown [193.239.254.142]) by mail.messagingengine.com (Postfix) with ESMTP id 65B5D17E5 for ; Tue, 2 Oct 2007 04:01:37 -0400 (EDT) Message-ID: <4701FAD7.4050600@casino.uni-stuttgart.de> Date: Tue, 02 Oct 2007 11:01:27 +0300 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> In-Reply-To: <20070917204318.GB9614@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 08:01:40 -0000 Dear members of this list, Recently, it was stated here by Andrew Thompson that > anything that is destined for the > local host is tapped off early and handled specially. This referred to the fact that packets passing through a bridging firewall can be filtered on the individual inbound/outbound interfaces, but packets destined for the bridging firewall (that has assigned an ip address to the bridge interface) can only be filtered on the bridge interface. I have now run into a problem with this. I am setting up a routing firewall with several DMZ, but for various reasons the DMZ use the same IP range as the internal net. I.e., the DMZ are bridged to the internal net, and the entire IP subnet is then routed to the external world. To clarify things, this looks similar to the following: bridge0 = em0, em1 bridge0 has IP x.x.x.254 DMZ connected to em0 and consists of the IP addresses x.x.x.0 - 15 Internal net connected to em1 and consists of x.x.x.16-253 em2 is the external interface and has IP x.x.y.123 Now, first of all, I wanted to set up a rule that makes sure that it is impossible to use IPs from the internal range in the DMZ network segment and vice versa, so that a hacked server in the DMZ cannot change its IP and pretend to be one of our (maybe powered off) internal servers. My first try was as follows: block quick on em0 from !x.x.x.0/28 block quick on em1 from x.x.x.0/28 This works fine as long as a machine in the DMZ is trying to communicate with a machine in the internal zone. However, the above rules do not match packets sent from a machine with an illegal IP in the DMZ and destined for the firewall, because those packets only appear on bridge0. However, when I filter the packets on bridge0, I have no idea whether they arrived on the DMZ interface or on the internal interface. Is there any other possibility of finding out which member of a bridge an inbound packet has arrived on? Regards Tobias P.S.: FreeBSD 6.2-RELEASE -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de