From owner-freebsd-pf@FreeBSD.ORG Mon Sep 17 20:44:38 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5175016A420 for ; Mon, 17 Sep 2007 20:44:38 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id 4A7D613C483 for ; Mon, 17 Sep 2007 20:44:38 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.31.0.250] (unknown [64.45.160.206]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 2C8CDBDB0; Mon, 17 Sep 2007 13:22:29 -0700 (PDT) Message-ID: <46EEE204.6000009@criticalmagic.com> Date: Mon, 17 Sep 2007 16:22:28 -0400 From: Richard Coleman User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Gilberto Villani Brito References: <46EDE839.8060501@criticalmagic.com> <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> In-Reply-To: <6e6841490709171242v61126706l782b7daec7ef3064@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about filtering bridges X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2007 20:44:38 -0000 Gilberto Villani Brito wrote: > On 16/09/2007, Richard Coleman wrote: > >> I'm setting up a filtering bridge and have a couple questions. >> Hopefully someone here can help. I've looked at all the docs online >> (and lots of Google searches) but there isn't much recent info on >> filtering bridges. >> >> The setup is pretty simple: fxp0 is external and fxp1 is internal. >> >> # rc.conf >> cloned_interfaces="bridge0" >> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up" >> ifconfig_fxp0="up" >> ifconfig_fxp1="up" >> >> Question 1: In the Handbook section on bridging, it says that if you >> need to setup an ip address, you should put it on the bridge interface >> (bridge0). But in the OpenBSD docs on filtering bridges, they say to >> put it on the inside interface. What are the consequences of doing it >> either way? >> >> Questions 2: If I use the following pf.conf (should block everything >> inbound, but allow everything outbound), I notice I'm still able to ssh >> into the bridging firewall itself. Why isn't that blocked? I'm >> guessing it's a consequence of the fact that I put an ip address on the >> bridging interface, but I'm not sure. What am I missing? >> >> # pf.conf >> >> # interfaces >> ext_if="fxp0" >> int_if="fxp1" >> >> # options >> set skip on lo0 >> set block-policy drop >> >> # normalization >> scrub in on $ext_if all >> scrub out on $ext_if random-id >> >> # external interface, inbound >> # default is to block all inbound on external interface >> block in log on $ext_if all >> >> # external interface, outbound >> block out log on $ext_if all >> pass out on $ext_if proto tcp all flags S/SA keep state >> pass out on $ext_if proto { udp, icmp } all keep state >> >> # internal interface, inbound >> pass in on $int_if all >> >> # internal interface, outbound >> pass out on $int_if all >> >> >> Richard Coleman >> rcoleman@criticalmagic.com >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > Hi Richard; > The first question I don't know, but the second I know. > You are blocking everything: > block in log on $ext_if all > block out log on $ext_if all > But here: > pass out on $ext_if proto tcp all flags S/SA keep state > pass out on $ext_if proto { udp, icmp } all keep state > All the traffic going out are allowed and PF read all rules unless you > use quick to stop. > See here: > http://www.openbsd.org/faq/pf/filter.html#intro > > > There are no pass rules for inbound on the external interface. So the initial "block in" should win for inbound on the external interface. But I'm still able to still remotely ssh into the bridge from outside the company. If this was a routing firewall, I'm pretty sure it would block the connection. I think it's something unique to bridging firewalls. rc