From owner-freebsd-pf@FreeBSD.ORG Tue Dec 13 17:07:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A3FB16A41F for ; Tue, 13 Dec 2005 17:07:39 +0000 (GMT) (envelope-from michiel@nl-hrln-ptgrf.net) Received: from mail.nl-hrln-ptgrf.net (83-138.surfsnel.dsl.internl.net [145.99.138.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59CBB43D4C for ; Tue, 13 Dec 2005 17:07:27 +0000 (GMT) (envelope-from michiel@nl-hrln-ptgrf.net) Received: from ws01michiel (85-138.surfsnel.dsl.internl.net [145.99.138.85]) by mail.nl-hrln-ptgrf.net (Postfix) with ESMTP id 3CD41193631 for ; Tue, 13 Dec 2005 17:04:50 +0000 (UTC) From: "Michiel Kranenburg" To: Date: Tue, 13 Dec 2005 18:07:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 thread-index: AcYAB7zy8EQo/yWCS6qjAjuVgxqd7Q== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> Subject: Possible bug in PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 17:07:39 -0000 Hello all, I may have found a bug in PF (in combination with if_bridge) for FreeBSD6.0-RELEASE. Let me explain my situation first: The xl1 and xl2 interfaces are connected together as a bridge (bridge0). The sysctl settings that are used: net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=1 After applying these settings and configuring ifconfig, a new interface pops up. --------------------------------------------- bridge0: flags=8041 mtu 1500 ether ac:de:48:8c:58:62 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: xl2 flags=3 member: xl1 flags=3 --------------------------------------------- The bridge is working fine, and passes al traffic as its supposed too. The weird thing occurs when using PF to filter the bridge. Let me post my pf.conf first: (I did not post the declaration of variables on top of the conf) --------------------------------------------- scrub in all block in log on bridge0 from any to $mynet block return-rst in log on bridge0 proto tcp from any to $mynet pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state pass out on bridge0 proto {tcp,udp} from $mynet to any keep state pass on lo0 all ## ICMP Section ## pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep state pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 } keep state ## DNS Replys ## pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to $mynet port 53 keep state ## Router ## pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA keep state ## Mail ## pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep state pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags S/SA keep state ## Web ## pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep state pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep state --------------------------------------------- As you can see, I want to block every incoming packet (if not 'passed' later on the ruleset) to the bridge (to the network on the other side). Now comes the strange part: Behind $web and $mail are running SSH-servers. As defined by the rules, I don't want to allow any connection from the outside to the SSH-servers. BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and some _dont_ (as it supposed to be). The connections that are accepted (in violation with the PF-rules) to the SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets as denied, but doesn't block them!). These faults don't apply to SSH-servers only! It happens to every service on the network. At least, the hosts that I have tested with are not in a specific ip-range. I just picked some random hosts with different ip-addresses and tried to telnet to the service-ports, with some hosts I got a nice 'return-rst' packet, telling me that the connection is refused. With others I got the service response. I hope some of you guys can help me out. Please CC me as i'm not subscribed to this list. With kind regards, Michiel Kranenburg