Date: Fri, 21 Sep 2001 18:52:43 -0500 (EST) From: Chris Hardie <chris@summersault.com> To: freebsd-questions@freebsd.org Subject: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? Message-ID: <Pine.BSF.4.40.0109211849350.79903-100000@nollie.summersault.com>
next in thread | raw e-mail | index | archive | help
Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and a customized rc.firewall config. The setup has been working well for a while now. I was unfortunately alerted to a hole after a box behind the firewall was cracked because ports that I thought were protected...weren't. It turns out that traffic to/from the machine in question was being passed through a pipe early in the rc.firewall config, and that the ipfw processing terminated when the packets came out of the pipe, so they never saw the rules farther down that would have dropped those packets headed for bad places. A-ha! "Easy" you say - just do sysctl -w net.inet.ip.fw.one_pass=0 and according to the ipfw man page, that will cause the packets to be re-injected into the firewall when they come out of the pipe, starting where they left off. Well, this just doesn't seem to be taking effect! I've crawled through docs and mailing lists. Setting net.inet.ip.fw.one_pass seems to be the common solution, but a few other people have mentioned the same ineffectiveness of that, and then those threads just drop off. So I'm wondering if it's possible that, because the kernel is compiled with "options BRIDGE", that packets are strictly only going through the firewall rules once, and that net.inet.ip.fw.one_pass=0 isn't having an effect in this case? If my wondering is in error, I'm looking for suggestions about how to verify the behavior I'm seeing and how to achieve the desired result: to use pipes AND deny rules that come after. I'm happy to send along the particular rules, but wanted to see if the question could be answered using theory first. (This message addresses an issue similar to but separate from the "ipfw" thread started by Rick Norman on Sep 18.) Any help is much appreciated. Thanks, Chris -- Chris Hardie ----------------------------- ----- mailto:chris@summersault.com ---------- -------- http://www.summersault.com/chris/ -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.40.0109211849350.79903-100000>