Date: Mon, 28 Nov 2005 18:12:02 -0800 From: "Bruce A. Mah" <bmah@freebsd.org> To: Michiel Kranenburg <michiel@nl-hrln-ptgrf.net> Cc: freebsd-pf@freebsd.org Subject: Re: OpenBSD's PF with a bridge on FreeBSD 6.x Message-ID: <1133230323.70949.77.camel@tomcat.kitchenlab.org> In-Reply-To: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> References: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] If memory serves me right, Michiel Kranenburg wrote: > I˙m currently running FreeBSD 6.0-RELEASE. > > I have 2 ethernet-cards running in promisc mode that should bridge my ISP > modem with my switch. > > xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=9<RXCSUM,VLAN_MTU> > inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 scopeid 0x1 > inet 145.99.138.82 netmask 0xfffffff0 broadcast 145.99.138.95 > inet 145.99.138.83 netmask 0xfffffff0 broadcast 145.99.138.95 > ether 00:01:02:09:84:f3 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > xl2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=9<RXCSUM,VLAN_MTU> > inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 scopeid 0x3 > ether 00:50:04:55:28:52 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active Are you doing bridge(4) or if_bridge(4)? For 6.0, I highly recommend the latter; the integration with packet filters (such as PF) works out a lot better. To wit: with if_bridge(4), your physical interfaces xl0 and xl2 are unnumbered and you assign IPv4/IPv6 addresses to a new pseudo-interface bridge0. You can use PF rules on bridge0 to filter packets addressed to/from the bridging machine. You can also define PF rules on the physical interfaces to filter packets passing through the bridge. I believe that bridge(4) is deprecated in 6.X and will be removed in 7.X. > Currently this is my situation: > > ( Internet (/28) ) <-> ( xl0 ) <bridge> ( xl2 ) <-> ( switchs ) <-> ( > clients ) > > The problem is that I want PF (OpenBSD˙s Packet Filter) to firewall my > server and the bridge (for the clients). > The packet filter works great for the server, it handles packets that are > defined in the ruleset perfectly. > > The real problem relies on filtering the bridge, PF passes all traffic too > the bridge _even_ when some kind of traffic is blocked on xl0. (So it > shouldn˙t be on the network anyway) > > Can someone help me to get filtering on de bridge to work? I'm doing something similar to this with no problems, using PF and if_bridge(4). Where is your "server" in the ASCII art above? You might need to give some more details (such as the ruleset you're using). If you use if_bridge, you want to make sure that both of the net.link.bridge.pfil_bridge and net.link.bridge.pfil_member sysctl variables are set to 1. (Or at least something non-zero?) Finally you might want to look at the 6.0 errata for an item about a kernel memory leak when running if_bridge with a packet filter. Good luck, Bruce. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDi7jy2MoxcVugUsMRArSSAKCsTfbBZA13JJfIP60TJzJWKRJbvwCgsDED 1kW+PCIHqAn5Qp46cffixt8= =h61s -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1133230323.70949.77.camel>