Date: Mon, 28 Nov 2005 18:12:02 -0800 From: "Bruce A. Mah" <bmah@freebsd.org> To: Michiel Kranenburg <michiel@nl-hrln-ptgrf.net> Cc: freebsd-pf@freebsd.org Subject: Re: OpenBSD's PF with a bridge on FreeBSD 6.x Message-ID: <1133230323.70949.77.camel@tomcat.kitchenlab.org> In-Reply-To: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> References: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-jzXl4O38hjMgbqV168bd Content-Type: text/plain; charset=iso-8859-13 Content-Transfer-Encoding: quoted-printable If memory serves me right, Michiel Kranenburg wrote: > I=FFm currently running FreeBSD 6.0-RELEASE.=20 >=20 > I have 2 ethernet-cards running in promisc mode that should bridge my ISP > modem with my switch. >=20 > xl0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 150= 0 > options=3D9<RXCSUM,VLAN_MTU> > inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 scopeid 0x1 > inet 145.99.138.82 netmask 0xfffffff0 broadcast 145.99.138.95 > inet 145.99.138.83 netmask 0xfffffff0 broadcast 145.99.138.95 > ether 00:01:02:09:84:f3 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > xl2: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 150= 0 > options=3D9<RXCSUM,VLAN_MTU> > inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 scopeid 0x3 > ether 00:50:04:55:28:52 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active Are you doing bridge(4) or if_bridge(4)? For 6.0, I highly recommend the latter; the integration with packet filters (such as PF) works out a lot better. To wit: with if_bridge(4), your physical interfaces xl0 and xl2 are unnumbered and you assign IPv4/IPv6 addresses to a new pseudo-interface bridge0. You can use PF rules on bridge0 to filter packets addressed to/from the bridging machine. You can also define PF rules on the physical interfaces to filter packets passing through the bridge. I believe that bridge(4) is deprecated in 6.X and will be removed in 7.X. > Currently this is my situation: >=20 > ( Internet (/28) ) <-> ( xl0 ) <bridge> ( xl2 ) <-> ( switchs ) <-> = ( > clients ) >=20 > The problem is that I want PF (OpenBSD=FFs Packet Filter) to firewall my > server and the bridge (for the clients). > The packet filter works great for the server, it handles packets that are > defined in the ruleset perfectly. >=20 > The real problem relies on filtering the bridge, PF passes all traffic to= o > the bridge _even_ when some kind of traffic is blocked on xl0. (So it > shouldn=FFt be on the network anyway) >=20 > Can someone help me to get filtering on de bridge to work? I'm doing something similar to this with no problems, using PF and if_bridge(4). Where is your "server" in the ASCII art above? You might need to give some more details (such as the ruleset you're using). If you use if_bridge, you want to make sure that both of the net.link.bridge.pfil_bridge and net.link.bridge.pfil_member sysctl variables are set to 1. (Or at least something non-zero?) Finally you might want to look at the 6.0 errata for an item about a kernel memory leak when running if_bridge with a packet filter. Good luck, Bruce. --=-jzXl4O38hjMgbqV168bd Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDi7jy2MoxcVugUsMRArSSAKCsTfbBZA13JJfIP60TJzJWKRJbvwCgsDED 1kW+PCIHqAn5Qp46cffixt8= =h61s -----END PGP SIGNATURE----- --=-jzXl4O38hjMgbqV168bd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1133230323.70949.77.camel>