From owner-freebsd-pf@FreeBSD.ORG Tue Oct 2 09:16:12 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC7D216A46D for ; Tue, 2 Oct 2007 09:16:12 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id 5243813C4C5 for ; Tue, 2 Oct 2007 09:16:12 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id D84CF1CC58; Tue, 2 Oct 2007 22:16:10 +1300 (NZDT) Date: Tue, 2 Oct 2007 22:16:10 +1300 From: Andrew Thompson To: Tobias Ernst Message-ID: <20071002091610.GD38352@heff.fud.org.nz> References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4701FAD7.4050600@casino.uni-stuttgart.de> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-pf@freebsd.org Subject: Re: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 09:16:12 -0000 On Tue, Oct 02, 2007 at 11:01:27AM +0300, Tobias Ernst wrote: > Dear members of this list, > > Recently, it was stated here by Andrew Thompson that > > > anything that is destined for the > > local host is tapped off early and handled specially. > > This referred to the fact that packets passing through a bridging > firewall can be filtered on the individual inbound/outbound interfaces, > but packets destined for the bridging firewall (that has assigned an ip > address to the bridge interface) can only be filtered on the bridge > interface. > > I have now run into a problem with this. I am setting up a routing > firewall with several DMZ, but for various reasons the DMZ use the same > IP range as the internal net. I.e., the DMZ are bridged to the internal > net, and the entire IP subnet is then routed to the external world. > [...] > > However, the above rules do not match packets sent from a machine with > an illegal IP in the DMZ and destined for the firewall, because those > packets only appear on bridge0. However, when I filter the packets on > bridge0, I have no idea whether they arrived on the DMZ interface or on > the internal interface. > > Is there any other possibility of finding out which member of a bridge > an inbound packet has arrived on? Yes, a new option was added to HEAD that allows this (pfil_local_phys), it adds an additional packet filter call on the member interface for local packets. > P.S.: FreeBSD 6.2-RELEASE Its not in 6.2 unfortunately but will be MFC'd in time for 6.3 Andrew