Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Jun 2012 17:27:57 +0800
From:      ProAce <proace@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   packet filter problem on transparent firewall using bridge and pf
Message-ID:  <CAL0-vtvJ6Q5-OTZrvcFSggNbo7ouzeyYUQODF7ktstTSq3o3XQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
I have some trouble with pf on freebsd bridge.

Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )

Bridge Network: 10.1.1.0/24
bridge0 IP: 10.1.1.1 ( freebsd's ip )
default gw: 10.1.1.254 ( in untrust area )
server: 10.1.1.101 ~ 200 ( in trust area )

pf.conf on freebsd
   serv1="10.1.1.101"
   client1="10.1.6.73"
   block in all
   block out all
   pass in quick on lo0 all
   pass out quick on lo0 all
   pass in quick on bridge0 from 10.1.1.0/24 to any
   pass out quick on bridge0 from 10.1.1.0/24 to any
   pass in quick on bridge0 from $client1 to 10.1.1.1
   pass in quick on bridge0 from $client1 to $serv1

When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( 10.1.1.1 ) successfully
4. gw connect to freebsd ( 10.1.1.1 ) successfully

If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?



The following is some description of the bridge topology.

Freebsd and server are vmware guest in the vmware ESXi.

The ESXi has two virtual switchs,
   vSw1: connect to untrust
   vSw2: interconnect with freebsd and servers

freebsd has tow vNICs,
   em0: connect to vSw1
   em1: connect to vSw2.

servers has only one vNIC,
   em0: connect to vSw2

freebsd's rc.conf
   cloned_interfaces="bridge0"
   ifconfig_bridge0="inet 10.1.1.1 netmask 255.255.255.0 addm em0 addm em1 up"
   ifconfig_em0="up"
   ifconfig_em1="up"
   pf_enable="YES"
   pf_rules="/etc/pf.conf"

freebsd's sysctl
   net.link.bridge.ipfw: 0
   net.link.bridge.inherit_mac: 0
   net.link.bridge.log_stp: 0
   net.link.bridge.pfil_local_phys: 0
   net.link.bridge.pfil_member: 1
   net.link.bridge.pfil_bridge: 1
   net.link.bridge.ipfw_arp: 0
   net.link.bridge.pfil_onlyip: 1

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAL0-vtvJ6Q5-OTZrvcFSggNbo7ouzeyYUQODF7ktstTSq3o3XQ>