From owner-freebsd-hackers Sat Sep 22 8:17:59 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 1D23E37B41C; Sat, 22 Sep 2001 08:17:50 -0700 (PDT) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id RAA66779; Sat, 22 Sep 2001 17:08:20 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200109221508.RAA66779@info.iet.unipi.it> Subject: Re: net.inet.ip.fw.one_pass=0 not effective in filtering bridge? In-Reply-To: from Chris Hardie at "Sep 22, 2001 09:15:54 am" To: Chris Hardie Date: Sat, 22 Sep 2001 17:08:20 +0200 (CEST) Cc: freebsd-hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG in fact one_pass does not work with bridging, it might be as simple as changing one line in bridge.c if (ip_fw_chk_ptr && bdg_ipfw != 0 && src != NULL) { struct ip *ip ; int i; - if (rule != NULL) /* dummynet packet, already partially processed */ + if (rule != NULL && fw_one_pass) goto forward; /* HACK! I should obey the fw_one_pass */ but i never had a chance to test it. If you want to give this a try, I'd be glad to know how it works. cheers luigi > Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and > a customized rc.firewall config. The setup has been working well for > a while now. I was unfortunately alerted to a hole after a box behind > the firewall was cracked because ports that I thought were > protected...weren't. > > It turns out that traffic to/from the machine in question was being > passed through a pipe early in the rc.firewall config, and that the > ipfw processing terminated when the packets came out of the pipe, so > they never saw the rules farther down that would have dropped those > packets headed for bad places. > > A-ha! "Easy" you say - just do > sysctl -w net.inet.ip.fw.one_pass=0 > and according to the ipfw man page, that will cause the packets to be > re-injected into the firewall when they come out of the pipe, starting > where they left off. Well, this just doesn't seem to be taking > effect! > > I've crawled through docs and mailing lists. Setting > net.inet.ip.fw.one_pass seems to be the common solution, but a few > other people have mentioned the same ineffectiveness of that, and then > those threads just drop off. So I'm wondering if it's possible that, > because the kernel is compiled with "options BRIDGE", that packets are > strictly only going through the firewall rules once, and that > net.inet.ip.fw.one_pass=0 isn't having an effect in this case? > > If my wondering is in error, I'm looking for suggestions about how to > verify the behavior I'm seeing and how to achieve the desired result: to > use pipes AND deny rules that come after. I'm happy to send along the > particular rules, but wanted to see if the question could be answered > using theory first. > > (This message addresses an issue similar to but separate from the "ipfw" > thread on freebsd-questions started by Rick Norman on Sep 18. I also > posted this message there.) > > Any help is much appreciated. > > Thanks, > Chris > > -- Chris Hardie ----------------------------- > ----- mailto:chris@summersault.com ---------- > -------- http://www.summersault.com/chris/ -- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message