From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 02:12:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 567DE16A41F; Tue, 29 Nov 2005 02:12:09 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AD1943D6B; Tue, 29 Nov 2005 02:12:06 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from tomcat.kitchenlab.org (tomcat.kitchenlab.org [64.142.31.107]) by b.mail.sonic.net (8.13.3/8.13.3) with ESMTP id jAT2C5Bg024628 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 28 Nov 2005 18:12:06 -0800 Received: from tomcat.kitchenlab.org (localhost.kitchenlab.org [127.0.0.1]) by tomcat.kitchenlab.org (8.13.4/8.13.1) with ESMTP id jAT2C5iR072668; Mon, 28 Nov 2005 18:12:05 -0800 (PST) (envelope-from bmah@freebsd.org) Received: (from bmah@localhost) by tomcat.kitchenlab.org (8.13.4/8.13.1/Submit) id jAT2C4N0072667; Mon, 28 Nov 2005 18:12:04 -0800 (PST) (envelope-from bmah@freebsd.org) X-Authentication-Warning: tomcat.kitchenlab.org: bmah set sender to bmah@freebsd.org using -f From: "Bruce A. Mah" To: Michiel Kranenburg In-Reply-To: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> References: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-jzXl4O38hjMgbqV168bd" Date: Mon, 28 Nov 2005 18:12:02 -0800 Message-Id: <1133230323.70949.77.camel@tomcat.kitchenlab.org> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Cc: freebsd-pf@freebsd.org Subject: Re: OpenBSD's PF with a bridge on FreeBSD 6.x X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 02:12:09 -0000 --=-jzXl4O38hjMgbqV168bd Content-Type: text/plain; charset=iso-8859-13 Content-Transfer-Encoding: quoted-printable If memory serves me right, Michiel Kranenburg wrote: > I=FFm currently running FreeBSD 6.0-RELEASE.=20 >=20 > I have 2 ethernet-cards running in promisc mode that should bridge my ISP > modem with my switch. >=20 > xl0: flags=3D8943 mtu 150= 0 > options=3D9 > inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 scopeid 0x1 > inet 145.99.138.82 netmask 0xfffffff0 broadcast 145.99.138.95 > inet 145.99.138.83 netmask 0xfffffff0 broadcast 145.99.138.95 > ether 00:01:02:09:84:f3 > media: Ethernet autoselect (100baseTX ) > status: active > xl2: flags=3D8943 mtu 150= 0 > options=3D9 > inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 scopeid 0x3 > ether 00:50:04:55:28:52 > media: Ethernet autoselect (100baseTX ) > status: active Are you doing bridge(4) or if_bridge(4)? For 6.0, I highly recommend the latter; the integration with packet filters (such as PF) works out a lot better. To wit: with if_bridge(4), your physical interfaces xl0 and xl2 are unnumbered and you assign IPv4/IPv6 addresses to a new pseudo-interface bridge0. You can use PF rules on bridge0 to filter packets addressed to/from the bridging machine. You can also define PF rules on the physical interfaces to filter packets passing through the bridge. I believe that bridge(4) is deprecated in 6.X and will be removed in 7.X. > Currently this is my situation: >=20 > ( Internet (/28) ) <-> ( xl0 ) ( xl2 ) <-> ( switchs ) <-> = ( > clients ) >=20 > The problem is that I want PF (OpenBSD=FFs Packet Filter) to firewall my > server and the bridge (for the clients). > The packet filter works great for the server, it handles packets that are > defined in the ruleset perfectly. >=20 > The real problem relies on filtering the bridge, PF passes all traffic to= o > the bridge _even_ when some kind of traffic is blocked on xl0. (So it > shouldn=FFt be on the network anyway) >=20 > Can someone help me to get filtering on de bridge to work? I'm doing something similar to this with no problems, using PF and if_bridge(4). Where is your "server" in the ASCII art above? You might need to give some more details (such as the ruleset you're using). If you use if_bridge, you want to make sure that both of the net.link.bridge.pfil_bridge and net.link.bridge.pfil_member sysctl variables are set to 1. (Or at least something non-zero?) Finally you might want to look at the 6.0 errata for an item about a kernel memory leak when running if_bridge with a packet filter. Good luck, Bruce. --=-jzXl4O38hjMgbqV168bd Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDi7jy2MoxcVugUsMRArSSAKCsTfbBZA13JJfIP60TJzJWKRJbvwCgsDED 1kW+PCIHqAn5Qp46cffixt8= =h61s -----END PGP SIGNATURE----- --=-jzXl4O38hjMgbqV168bd--