Date: Wed, 24 Mar 2021 04:54:25 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 254015] Panic when using bridge interface on 13.0-BETA4 Message-ID: <bug-254015-7501-CbfH1ijtdi@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-254015-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-254015-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254015 --- Comment #13 from shamaz.mazum@gmail.com --- Can you reproduce by it yourself by adding net.link.ether.ipfw =3D 0 to /etc/sysctl.conf and writing firewall rules like these: #!/bin/sh IPFW=3D"/sbin/ipfw -q" IFACE=3D"wg0" PUB_IFACE=3D"re1" SKIP_IP=3D"skipto 20000" SKIP_ETHER=3D"skipto 30000" # Ports list: SSH=3D"22" TELNET=3D"23" SMTP=3D"25" WHOIS=3D"43" WWW=3D"80" HTTPS=3D"443" POP3=3D"110" SSMTP=3D"465" POP3S=3D"995" GIT=3D"9418" FTPC=3D"21" FTPD=3D"20" IRC=3D"6660-7000" NTP=3D"123" OPENPORTS=3D"$WWW,$HTTPS" OPENPORTS=3D"$OPENPORTS,$SSH,$WHOIS,$GIT" GOODMACS=3D"cc:af:78:58:73:a2 60:45:cb:64:2a:65 3c:7c:3f:3c:52:5b" GOODMACS_TAG=3D"100" SUBNET=3D"192.168.20.0/24" LOCALIFACES=3D"re0 wlan0 bridge0 lo0 tap0" $IPFW -f flush $IPFW -f nat flush # Start NAT $IPFW nat 1 config if $IFACE log same_ports reset # Deny fragmented packets $IPFW add reass ip from any to any frag in #$IPFW add $SKIP_ETHER ip from any to any layer2 $IPFW add check-state :before-nat # Drop connections to LAN from untrusted macs #$IPFW add allow ip from any to any tagged $GOODMACS_TAG via bridge0 # Allow DHCP #$IPFW add allow udp from any 68 to me dst-port 67 in via bridge0 keep-state :before-nat # And ICMP #$IPFW add allow icmp from any to any via bridge0 # Drop everything else #$IPFW add deny ip from any to $SUBNET in via bridge0 # Enable LAN traffic for lan_iface in $LOCALIFACES; do $IPFW add allow ip from any to any via $lan_iface done # Public iface setup # Wireguard $IPFW add allow udp from me to 185.213.155.130 dst-port 51820 out via $PUB_IFACE keep-state :before-nat # OpenVPN #$IPFW add allow udp from me to any dst-port 1197 out via $PUB_IFACE keep-s= tate :before-nat $IPFW add allow icmp from any to any via $PUB_IFACE $IPFW add deny ip from any to any via $PUB_IFACE $IPFW add nat 1 ip from any to any in via $IFACE $IPFW add check-state :after-nat # Allow DNS for this machine $IPFW add $SKIP_IP tcp from me to any 53 out via $IFACE setup keep-state :after-nat $IPFW add $SKIP_IP udp from me to any 53 out via $IFACE keep-state :after-n= at # All common open ports $IPFW add $SKIP_IP tcp from me to any $OPENPORTS out \ via $IFACE setup keep-state :after-nat # DHCP $IPFW add $SKIP_IP udp from any 68 to any dst-port 67 out via $IFACE keep-s= tate :after-nat # NTP $IPFW add $SKIP_IP udp from me to any $NTP out via $IFACE keep-state :after= -nat # Allow ICMP $IPFW add $SKIP_IP icmp from any to any via $IFACE $IPFW add deny all from me to any out via $IFACE $IPFW add deny all from any to me in via $IFACE $IPFW add 20000 nat 1 ip from any to any out via $IFACE $IPFW add allow ip from any to any via $IFACE $IPFW add deny ip from any to any # Ethernet-layer processing $IPFW add 30000 allow ip from any to any mac-type arp for mac in $GOODMACS; do $IPFW add allow tag $GOODMACS_TAG ip from any to any mac any $mac in $IPFW add allow tag $GOODMACS_TAG ip from any to any mac $mac any o= ut done $IPFW add allow ip from any to any You can drop all rules about VPN, home VLAN, etc. Just leave layer2 filteri= ng. --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254015-7501-CbfH1ijtdi>