From owner-freebsd-pf@FreeBSD.ORG Tue Dec 13 19:56:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 993B916A41F for ; Tue, 13 Dec 2005 19:56:55 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from dbmail-mx1.orcon.net.nz (loadbalancer1.orcon.net.nz [219.88.242.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46A2B43D99 for ; Tue, 13 Dec 2005 19:56:38 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received-SPF: none Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id jBDJv648011848; Wed, 14 Dec 2005 08:57:06 +1300 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 3791B28432; Wed, 14 Dec 2005 08:56:24 +1300 (NZDT) Date: Wed, 14 Dec 2005 08:56:24 +1300 From: Andrew Thompson To: Michiel Kranenburg Message-ID: <20051213195624.GA5248@heff.fud.org.nz> References: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Possible bug in PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 19:56:55 -0000 On Tue, Dec 13, 2005 at 06:07:46PM +0100, Michiel Kranenburg wrote: > Hello all, > > > I may have found a bug in PF (in combination with if_bridge) for > FreeBSD6.0-RELEASE. > > > The weird thing occurs when using PF to filter the bridge. > Let me post my pf.conf first: (I did not post the declaration of variables > on top of the conf) > > --------------------------------------------- > scrub in all > > block in log on bridge0 from any to $mynet > block return-rst in log on bridge0 proto tcp from any to $mynet > > pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state > pass out on bridge0 proto {tcp,udp} from $mynet to any keep state > > pass on lo0 all [...] > > Now comes the strange part: > > Behind $web and $mail are running SSH-servers. As defined by the rules, I > don't want to allow any connection from the outside to the SSH-servers. > BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and > some _dont_ (as it supposed to be). You should probably be filtering on the member interfaces rather than bridge0 if you are doing keep-state. bridge0 has no direction so packets travelling in one direction look the same a the reverse path, this may be tripping up with stateful rules. Can you try changing your pf rules to filter on xl1 and xl2 and see if you get the same behaviour. p.s 6.0-RELEASE has a mbuf leak with if_bridge(4)+pfil(9), you may want to go to RELENG_6 cheers, Andrew