From owner-freebsd-pf@FreeBSD.ORG Tue Dec 13 18:01:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AADD016A41F for ; Tue, 13 Dec 2005 18:01:51 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 069F143D95 for ; Tue, 13 Dec 2005 18:01:31 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 50561 invoked by uid 89); 13 Dec 2005 18:01:24 -0000 Received: by simscan 1.1.0 ppid: 50535, pid: 50537, t: 2.3798s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 13 Dec 2005 18:01:22 -0000 Message-ID: <439F0C72.5000009@wombatsweb.com> Date: Tue, 13 Dec 2005 13:01:22 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michiel Kranenburg References: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> In-Reply-To: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.2 Cc: freebsd-pf@freebsd.org Subject: Re: Possible bug in PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 18:01:51 -0000 Michiel Kranenburg on 12/13/2005 12:07 PM wrote: >I may have found a bug in PF (in combination with if_bridge) for >FreeBSD6.0-RELEASE. > > >Let me explain my situation first: > >The xl1 and xl2 interfaces are connected together as a bridge (bridge0). > >The sysctl settings that are used: >net.link.bridge.pfil_bridge=1 >net.link.bridge.pfil_member=1 > >After applying these settings and configuring ifconfig, a new interface pops >up. > >--------------------------------------------- >bridge0: flags=8041 mtu 1500 > ether ac:de:48:8c:58:62 > priority 32768 hellotime 2 fwddelay 15 maxage 20 > member: xl2 flags=3 > member: xl1 flags=3 >--------------------------------------------- > >The bridge is working fine, and passes al traffic as its supposed too. > > >The weird thing occurs when using PF to filter the bridge. >Let me post my pf.conf first: (I did not post the declaration of variables >on top of the conf) > >--------------------------------------------- >scrub in all > >block in log on bridge0 from any to $mynet >block return-rst in log on bridge0 proto tcp from any to $mynet > >pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state >pass out on bridge0 proto {tcp,udp} from $mynet to any keep state > >pass on lo0 all > > >## ICMP Section ## >pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep >state >pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 } >keep state > > >## DNS Replys ## >pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to >$mynet port 53 keep state > > >## Router ## >pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA >keep state > > >## Mail ## >pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep >state >pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags >S/SA keep state > > >## Web ## >pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep >state >pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep >state >--------------------------------------------- > > >As you can see, I want to block every incoming packet (if not 'passed' later >on the ruleset) to the bridge (to the network on the other side). > > >Now comes the strange part: > >Behind $web and $mail are running SSH-servers. As defined by the rules, I >don't want to allow any connection from the outside to the SSH-servers. >BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and >some _dont_ (as it supposed to be). > >The connections that are accepted (in violation with the PF-rules) to the >SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets >as denied, but doesn't block them!). > >These faults don't apply to SSH-servers only! It happens to every service on >the network. > >At least, the hosts that I have tested with are not in a specific ip-range. >I just picked some random hosts with different ip-addresses and tried to >telnet to the service-ports, with some >hosts I got a nice 'return-rst' packet, telling me that the connection is >refused. With others I got the service response. > > >I hope some of you guys can help me out. > >Please CC me as i'm not subscribed to this list. > I am new to PF and if_bridge ... so I am guessing here, but I do have first hand experience in just setting one up ... I am still playing with rulesets to get it just right ... ANYWAY ... Seems to me that if you want to just use "bridge0" that you should change your sysctl.conf net.link.bridge.pfil_member=1 to net.link.bridge.pfil_member=0 The way I have mine configured is to use the xl0 and xl1 in the rules (with pfil_member=1) ... I have seen that ftpsesame adds bridge0 rules dynamically though ... But, I don't think it's a bug ...