From owner-freebsd-stable@FreeBSD.ORG Tue Jul 10 14:39:10 2007 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B42816A41F for ; Tue, 10 Jul 2007 14:39:10 +0000 (UTC) (envelope-from davemac11@yahoo.com) Received: from web32806.mail.mud.yahoo.com (web32806.mail.mud.yahoo.com [68.142.206.36]) by mx1.freebsd.org (Postfix) with SMTP id 4F56913C4BC for ; Tue, 10 Jul 2007 14:39:10 +0000 (UTC) (envelope-from davemac11@yahoo.com) Received: (qmail 41719 invoked by uid 60001); 10 Jul 2007 14:39:09 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=UdQx7t9mCAO72/CVPFNCT+3P2weoZco6HT+dvn2fWV4Fzge6h/L+opmxZNP+v8aPlSb/a0hmv7oRNCZWoev44Ycoedy8TQ+nb4yJlqeNiuF3MpxJXOpf93hNq3UcVtVIZr/huMi7qRY344tTBaY+3OKKIIpzCKKXgqzChDion24=; X-YMail-OSG: xwpa4ScVM1m5B8PhHSo3AhxM0AMEQEtcGPgRdN3AKQy9dVlDhCHCfy2OkLXaaLjwrSBNO6frG9YwZDQKBVO4sz74htLpXwGZJSHDkh9AbT38vOMmq.BGl.lceop.XZhTFiG2QOFWXyYuVze_ykxkDv7T Received: from [168.91.1.171] by web32806.mail.mud.yahoo.com via HTTP; Tue, 10 Jul 2007 07:39:09 PDT X-Mailer: YahooMailRC/651.41 YahooMailWebService/0.7.41.16 Date: Tue, 10 Jul 2007 07:39:09 -0700 (PDT) From: Dave McCammon To: stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ascii Message-ID: <630256.41139.qm@web32806.mail.mud.yahoo.com> Cc: Subject: Re: ipfw with if_bridge oddity X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 14:39:10 -0000 On Fri, 6 Jul 2007, Dave McCammon wrote: > I can't seem to grasp why this is working differently. > FreeBSD 6.2 using ipfw + if_bridge > > LAN -- em1(if_bridge + ipfw)em0 -- internet > > I am at xx.xx.16.6 and try to ping say www.yahoo.com > > in ruleset: > 1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14 > 2100 allow ip from xx.xx.16.0/27 to any in via em1 >Seeing noone more knowledgeable has had a go, and with the caveat that Thank you. >I've never setup an if_bridge(4) but still maintain a bridge(4)+ipfw .. >Rule 2100 lets your ping in, and 1100 allows the response (in and out) > gets dropped by following rule as shown in logs: > > 4700 deny log ip from any to any > > Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0 >Denied because you have no rule letting it go out, it seems. It's the "out via em0" that I am questioning, which I believe shouldn't be happening. It seems that ipfw+if_bridge works differently with ICMP than ipfw_bridge(4). Rule 2100 should allow the packet through(I read the rule as:"it is ok since it came in em1"). Other rules just like this(in via em1) work with tcp and udp. example : allow tcp from xx.xx.16.0/27 to any in via em1 setup keep-state if the packet came from xx.xx.16.0/27 network and came "in" the em1 interface, than pass the packet. It just seems the ICMP gets dropped, which, I am assuming, rule 2100 should have allowed through the firewall. > If I add this rule all works great: > > 2101 allow icmp from xx.xx.16.0/27 to any recv em1 >Which allows it both in and out (neither specified) This should allow the packet because it came through the receiving interface on interface em1. This is really my questioning: Why is it that "in via em1" doesn't work on ICMP but changing or adding a similar rule with "recv em1" will pass the ICMP. allow ip from 157.91.16.0/27 to any in via em1 > legit "passing_thru" ICMP gets dropped with if_bridge but not with bridge(4) allow ip from 157.91.16.0/27 to any recv em1 > passes the "passing_thru" ICMP using if_bridge > Why would the "recv em1" work and the "in via em1" get blocked? > > I just changed from using bridge(4) to if_bridge using the same ruleset. >Only inbound bridged packets are passed to ipfw from bridge(4) .. once >allowed in, they go out. My reading of if_bridge(4) suggests that ipfw >(etc) may also be examining outbound bridged packets, depending on the >sysctls. How have you got the sysctls mentioned in if_bridge(4) set? my sysctl.conf variables: net.link.bridge.ipfw=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_onlyip=1 net.link.bridge.pfil_bridge=0 net.link.bridge.ipfw_arp=1 > The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia > about the effectiveness of the firewall. > > Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs > if I have this set "net.link.bridge.pfil_bridge: 0"? Thanks again, Dave ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/