PF with if_bridge

Sat Sep 10 03:27:13 PDT 2005

Hello,

Since I moved over from a OpenBSD bridge to a FreeBSD-6 one with the new 
bridge code I have been having some problems getting my pf.conf to fully 
work. I have tried all the combinations I could think of, but just cant get 
it right. When i first switched over, I used the exact copy of the pf.conf 
from the OpenBSD machine, just substituting the new device names. This 
didn't work at all, and I have made changes to it, possibly inserting an 
error on my part.

I was wondering if someone could assist me?

Here is my current pf.conf:

-------------------------------------

set loginterface bridge0

# Turing on scrub in this config stops the bridge from working, this was not 
the case
# in OpenBSD. So we comment it out.
#scrub in on bridge0 all no-df

block in log on bridge0 all

pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22, 25 } 
flags S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80, 443 } 
flags S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80, 443 } 
flags S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 25 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 80 } flags 
S/SA keep state
pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22 } flags 
S/SA keep state

# Bind doesn't seem to work with these rules. The request to 53 works, but
# the reply, on the random, high UDP port is blocked. So we use the rule I 
have
# further below, which allows all UDP.
#pass in on bridge0 proto udp from any to 216.58.xxx.xxx port { 53 } keep 
state
#pass in on bridge0 proto udp from any to 216.58.xxx.xxx port { 53 } keep 
state

pass in on bridge0 proto udp from any to any keep state
# The rule below doesn't seem to actually work, this might be bad placement 
of the
# rule? I keep it in because there seems to be no negative effect.
block in log on bridge0 proto udp from any to any port { 161, 514 }

pass in on bridge0 inet proto icmp all icmp-type echoreq keep state

pass in on bridge0 proto esp from any to any keep state

# I remember seeing people saying that only "in" rules are allowed on a 
bridge,
# although I have also seen other cases of "out" rules been applied to this 
new
# FreeBSD bridge code. ALL TCP traffic coming from the inside is blocked, 
but if it originates
# from the outside (example Apache, SSH login) it works fine.
pass out on bridge0 proto tcp all flags S/SA keep state
pass out on bridge0 proto udp all keep state
pass out on bridge0 proto icmp all keep state

-------------------------------------

To address the possible "in" only rule above I tried to place this in 
instead, but no change, outgoing traffic was blocked originating from the 
inside:

pass in on bridge0 proto tcp from 216.58.xxx.xxx/26 to any keep state

I thank you in advance for any help you can provide. I probably did 
something wrong above that is causing these problems, but I cant figure it 
out and look to you all for advise.

Thanks,

Sean