Questions about filtering bridges

Richard Coleman rcoleman at criticalmagic.com
Mon Sep 17 14:59:03 PDT 2007 

Andrew Thompson wrote:
> On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard Coleman wrote:
>   
>> Andrew Thompson wrote:
>>     
>>> On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote:
>>>  
>>>       
>>>> Question 1: In the Handbook section on bridging, it says that if you 
>>>> need to setup an ip address, you should put it on the bridge interface 
>>>> (bridge0).  But in the OpenBSD docs on filtering bridges, they say to 
>>>> put it on the inside interface.  What are the consequences of doing it 
>>>> either way?
>>>>    
>>>>         
>>> OpenBSD does not support adding an IP address to a bridge interface so
>>> they do not have a choice here. Assigning the IP to the bridge is the
>>> correct way do to it as it is the central piece of the setup.
>>>
>>>  
>>>       
>>>> Questions 2: If I use the following pf.conf (should block everything 
>>>> inbound, but allow everything outbound), I notice I'm still able to ssh 
>>>> into the bridging firewall itself.  Why isn't that blocked?  I'm 
>>>> guessing it's a consequence of the fact that I put an ip address on the 
>>>> bridging interface, but I'm not sure.  What am I missing?
>>>>
>>>>    
>>>>         
>>> This is because the _bridge_ is the interface that the packet arrives
>>> on. Think if the bridge as a fully functioning interface, what you need
>>> is:
>>>
>>> bridge_if="bridge0"
>>> block in log on $bridge_if all
>>>
>>>
>>> regards,
>>> Andrew
>>>  
>>>       
>> I was confused because the if_bridge(4) man page (for 6.2) says that 
>> traffic always passes first through the originating interface (which I 
>> took to be the external physical interface), then passes through the 
>> bridge interface, and then through all appropriate outbound interfaces.  
>> So I assumed a block rules for the first physical interface would 
>> prevent the packet from every reaching the bridge interface.
>>
>> Given that wording, I was confused why you would ever need to filter on 
>> the bridge interface itself.
>>     
>
> I see where the confusion comes in then. That particular section refers
> to the bridge forwarding packets, anything that is destined for the
> local host is tapped off early and handled specially. I welcome any
> wording changes on the man page.
>
>
> cheers,
> Andrew
>   
That greatly clarifies things.  Thanks for the help.

Richard Coleman
rcoleman at criticalmagic.com

More information about the freebsd-pf mailing list