FreeBSD bridge + filtering, BIG problem
Josh Kayse
josh.kayse at gmail.com
Wed Dec 1 05:23:40 PST 2004
On Wed, 1 Dec 2004 20:09:12 +0900, Pyun YongHyeon <yongari at kt-is.co.kr> wrote:
> On Wed, Dec 01, 2004 at 05:51:35AM +0100, Cl?ment MOULIN wrote:
>
>
> > Hi,
> >
> > I'm afraid about having find a freebsd 5X security issue.
> >
> > We have recently upgraded one gateway from 4.10 to 5.3... Following network
> > used:
> >
> > [ISP]--xl1--[FW01]-----xl0--em0--[SR01]
> > |
> > |--fxp0--em0--[SR02]
> >
> > On fw01, we have one jail.
> >
> > So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before
> > and after upgrade).
> > On 4.10, we used IPFilter as firewall and for network traffic accounting.
> > Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING
> > working fine)...
> >
> > Thinking this can be a ipfilter issue, and because we are planning to change
> > for great OpenBSD pf, we have try to do accounting with pf... but same
> > behaviour occurs (tests have be done with big files).
> >
> > From/to inet fw01 jail sr01 sr02
> > Internet - ok ok KO KO
> > Fw01 ok - ok ok ok
> > Jail ok ok - ok ok
> > Sr01 KO* ok ok - KO
> > Sr02 KO* ok ok KO -
> >
> > * with pf enabled, scp connexion going "stalled" very quickly (stop between
> > 100 and 300 Kb of traffic)
> >
> >
> > Worst thing, the "default rule" accounting (any to any) does not report
> > "unreported" traffic... feels like rules are not processed. So I deciding to
> > make another test with pf.
> >
> > Adding "block in quick proto tcp from any to [jail_port] port smtp";
> > Testing: works fine.
> > But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
> > from internet, fw01 or sr02, we can connect to the tcp port
> > !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with
> > IPF!!!!!!!!
> >
> >
> >
> > Details
> > fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge,
> > nullfs and pf.
> > Sr01: FreeBSD 5.2.1, custom kernel
> > Sr02: FreeBSD 5.3, GENERIC kernel
> >
> > ------------------------------------pf.conf
> > set loginterface fxp1
> >
> > jail=**IP**
> > sr01=**IP**
> > sr02=**IP**
> >
> > #block in quick proto tcp from any to $sr01 port smtp
> >
> > pass quick from any to $jail keep state label 0
> > pass quick from $jail to any keep state label 1
> > pass quick from any to $sr02 keep state label 6
> > pass quick from $sr02 to any keep state label 7
> > pass quick from any to $sr01 keep state label 10
> > pass quick from $sr01 to any keep state label 11
> >
> > pass all
> > ------------------------------------
> >
> >
> > Seems to be bridge freebsd 5.3 support related...
> > Can someone take a look at this? Thanks!
> >
>
> Both pf and ipf can't create *states* in bridge mode. That restriction
> comes from bridge(4). Since pf/ipf couldn't create states it will
> drop the packet when it thinks the packet is in out of TCP window.
>
> If you want to use pf/ipf in bridge mode, don't use stateful inspection.
> One more note: filtering works only for inbound traffics in bridge mode.
>
> --
> Regards,
> Pyun YongHyeon
> http://www.kr.freebsd.org/~yongari | yongari at freebsd.org
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
I know it's been touched on in the past, but can you explain why
stateful inspection does not work in a bridged mode? And why it only
filters for inbound traffic? Does ipfw suffer from the same feature?
Thanks.
-josh
--
Joshua Kayse
Computer Engineering
More information about the freebsd-pf
mailing list