Questions about filtering bridges

I'm setting up a filtering bridge and have a couple
questions. 
Hopefully someone here can help.  I've looked at all the
docs online 
(and lots of Google searches) but there isn't much recent
info on 
filtering bridges.

The setup is pretty simple: fxp0 is external and fxp1 is
internal.

# rc.conf
cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28
up"
ifconfig_fxp0="up"
ifconfig_fxp1="up"

Question 1: In the Handbook section on bridging, it says
that if you 
need to setup an ip address, you should put it on the bridge
interface 
(bridge0).  But in the OpenBSD docs on filtering bridges,
they say to 
put it on the inside interface.  What are the consequences
of doing it 
either way?

Questions 2: If I use the following pf.conf (should block
everything 
inbound, but allow everything outbound), I notice I'm still
able to ssh 
into the bridging firewall itself.  Why isn't that blocked? 
I'm 
guessing it's a consequence of the fact that I put an ip
address on the 
bridging interface, but I'm not sure.  What am I missing?

# pf.conf

# interfaces
ext_if="fxp0"
int_if="fxp1"

# options
set skip on lo0
set block-policy drop

# normalization
scrub in on $ext_if all
scrub out on $ext_if random-id

# external interface, inbound
# default is to block all inbound on external interface
block in log on $ext_if all

# external interface, outbound
block out log on $ext_if all
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state

# internal interface, inbound
pass in on $int_if all

# internal interface, outbound
pass out on $int_if all


Richard Coleman
rcolemancriticalmagic.com
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On 16/09/2007, Richard Coleman <rcolemancriticalmagic.com> wrote:
> I'm setting up a filtering bridge and have a couple
questions.
> Hopefully someone here can help.  I've looked at all
the docs online
> (and lots of Google searches) but there isn't much
recent info on
> filtering bridges.
>
> The setup is pretty simple: fxp0 is external and fxp1
is internal.
>
> # rc.conf
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm fxp0 addm fxp1
64.45.160.194/28 up"
> ifconfig_fxp0="up"
> ifconfig_fxp1="up"
>
> Question 1: In the Handbook section on bridging, it
says that if you
> need to setup an ip address, you should put it on the
bridge interface
> (bridge0).  But in the OpenBSD docs on filtering
bridges, they say to
> put it on the inside interface.  What are the
consequences of doing it
> either way?
>
> Questions 2: If I use the following pf.conf (should
block everything
> inbound, but allow everything outbound), I notice I'm
still able to ssh
> into the bridging firewall itself.  Why isn't that
blocked?  I'm
> guessing it's a consequence of the fact that I put an
ip address on the
> bridging interface, but I'm not sure.  What am I
missing?
>
> # pf.conf
>
> # interfaces
> ext_if="fxp0"
> int_if="fxp1"
>
> # options
> set skip on lo0
> set block-policy drop
>
> # normalization
> scrub in on $ext_if all
> scrub out on $ext_if random-id
>
> # external interface, inbound
> # default is to block all inbound on external
interface
> block in log on $ext_if all
>
> # external interface, outbound
> block out log on $ext_if all
> pass out on $ext_if proto tcp all flags S/SA keep
state
> pass out on $ext_if proto { udp, icmp } all keep state
>
> # internal interface, inbound
> pass in on $int_if all
>
> # internal interface, outbound
> pass out on $int_if all
>
>
> Richard Coleman
> rcolemancriticalmagic.com
> _______________________________________________
> freebsd-pffreebsd.org mailing list
> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
>

Hi Richard;
The first question I don't know, but the second I know.
You are blocking everything:
block in log on $ext_if all
block out log on $ext_if all
But here:
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
All the traffic going out are allowed and PF read all rules
unless you
use quick to stop.
See here:
http:
//www.openbsd.org/faq/pf/filter.html#intro


-- 
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Andrew Thompson wrote:
> On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard
Coleman wrote:
>   
>> I'm setting up a filtering bridge and have a couple
questions. 
>> Hopefully someone here can help.  I've looked at
all the docs online 
>> (and lots of Google searches) but there isn't much
recent info on 
>> filtering bridges.
>>
>> The setup is pretty simple: fxp0 is external and
fxp1 is internal.
>>
>> # rc.conf
>> cloned_interfaces="bridge0"
>> ifconfig_bridge0="addm fxp0 addm fxp1
64.45.160.194/28 up"
>> ifconfig_fxp0="up"
>> ifconfig_fxp1="up"
>>
>> Question 1: In the Handbook section on bridging, it
says that if you 
>> need to setup an ip address, you should put it on
the bridge interface 
>> (bridge0).  But in the OpenBSD docs on filtering
bridges, they say to 
>> put it on the inside interface.  What are the
consequences of doing it 
>> either way?
>>     
>
> OpenBSD does not support adding an IP address to a
bridge interface so
> they do not have a choice here. Assigning the IP to the
bridge is the
> correct way do to it as it is the central piece of the
setup.
>
>   
>> Questions 2: If I use the following pf.conf (should
block everything 
>> inbound, but allow everything outbound), I notice
I'm still able to ssh 
>> into the bridging firewall itself.  Why isn't that
blocked?  I'm 
>> guessing it's a consequence of the fact that I put
an ip address on the 
>> bridging interface, but I'm not sure.  What am I
missing?
>>
>> # pf.conf
>>
>> # interfaces
>> ext_if="fxp0"
>> int_if="fxp1"
>>
>> # options
>> set skip on lo0
>> set block-policy drop
>>
>> # normalization
>> scrub in on $ext_if all
>> scrub out on $ext_if random-id
>>
>> # external interface, inbound
>> # default is to block all inbound on external
interface
>> block in log on $ext_if all
>>     
>
> This is because the _bridge_ is the interface that the
packet arrives
> on. Think if the bridge as a fully functioning
interface, what you need
> is:
>
> bridge_if="bridge0"
> block in log on $bridge_if all
>
>
> regards,
> Andrew
>   
I was confused because the if_bridge(4) man page (for 6.2)
says that 
traffic always passes first through the originating
interface (which I 
took to be the external physical interface), then passes
through the 
bridge interface, and then through all appropriate outbound
interfaces.  
So I assumed a block rules for the first physical interface
would 
prevent the packet from every reaching the bridge
interface.

Given that wording, I was confused why you would ever need
to filter on 
the bridge interface itself.

Thanks for the help.

Richard Coleman
rcolemancriticalmagic.com
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard Coleman
wrote:
> Andrew Thompson wrote:
> >On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard
Coleman wrote:
> >  
> >>Question 1: In the Handbook section on
bridging, it says that if you 
> >>need to setup an ip address, you should put it
on the bridge interface 
> >>(bridge0).  But in the OpenBSD docs on
filtering bridges, they say to 
> >>put it on the inside interface.  What are the
consequences of doing it 
> >>either way?
> >>    
> >
> >OpenBSD does not support adding an IP address to a
bridge interface so
> >they do not have a choice here. Assigning the IP to
the bridge is the
> >correct way do to it as it is the central piece of
the setup.
> >
> >  
> >>Questions 2: If I use the following pf.conf
(should block everything 
> >>inbound, but allow everything outbound), I
notice I'm still able to ssh 
> >>into the bridging firewall itself.  Why isn't
that blocked?  I'm 
> >>guessing it's a consequence of the fact that I
put an ip address on the 
> >>bridging interface, but I'm not sure.  What am
I missing?
> >>
> >>    
> >
> >This is because the _bridge_ is the interface that
the packet arrives
> >on. Think if the bridge as a fully functioning
interface, what you need
> >is:
> >
> >bridge_if="bridge0"
> >block in log on $bridge_if all
> >
> >
> >regards,
> >Andrew
> >  
> I was confused because the if_bridge(4) man page (for
6.2) says that 
> traffic always passes first through the originating
interface (which I 
> took to be the external physical interface), then
passes through the 
> bridge interface, and then through all appropriate
outbound interfaces.  
> So I assumed a block rules for the first physical
interface would 
> prevent the packet from every reaching the bridge
interface.
> 
> Given that wording, I was confused why you would ever
need to filter on 
> the bridge interface itself.

I see where the confusion comes in then. That particular
section refers
to the bridge forwarding packets, anything that is destined
for the
local host is tapped off early and handled specially. I
welcome any
wording changes on the man page.


cheers,
Andrew
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman
wrote:
> I'm setting up a filtering bridge and have a couple
questions. 
> Hopefully someone here can help.  I've looked at all
the docs online 
> (and lots of Google searches) but there isn't much
recent info on 
> filtering bridges.
> 
> The setup is pretty simple: fxp0 is external and fxp1
is internal.
> 
> # rc.conf
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm fxp0 addm fxp1
64.45.160.194/28 up"
> ifconfig_fxp0="up"
> ifconfig_fxp1="up"
> 
> Question 1: In the Handbook section on bridging, it
says that if you 
> need to setup an ip address, you should put it on the
bridge interface 
> (bridge0).  But in the OpenBSD docs on filtering
bridges, they say to 
> put it on the inside interface.  What are the
consequences of doing it 
> either way?

OpenBSD does not support adding an IP address to a bridge
interface so
they do not have a choice here. Assigning the IP to the
bridge is the
correct way do to it as it is the central piece of the
setup.

> Questions 2: If I use the following pf.conf (should
block everything 
> inbound, but allow everything outbound), I notice I'm
still able to ssh 
> into the bridging firewall itself.  Why isn't that
blocked?  I'm 
> guessing it's a consequence of the fact that I put an
ip address on the 
> bridging interface, but I'm not sure.  What am I
missing?
> 
> # pf.conf
> 
> # interfaces
> ext_if="fxp0"
> int_if="fxp1"
> 
> # options
> set skip on lo0
> set block-policy drop
> 
> # normalization
> scrub in on $ext_if all
> scrub out on $ext_if random-id
> 
> # external interface, inbound
> # default is to block all inbound on external
interface
> block in log on $ext_if all

This is because the _bridge_ is the interface that the
packet arrives
on. Think if the bridge as a fully functioning interface,
what you need
is:

bridge_if="bridge0"
block in log on $bridge_if all


regards,
Andrew
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Gilberto Villani Brito wrote:
> On 16/09/2007, Richard Coleman <rcolemancriticalmagic.com> wrote:
>   
>> I'm setting up a filtering bridge and have a couple
questions.
>> Hopefully someone here can help.  I've looked at
all the docs online
>> (and lots of Google searches) but there isn't much
recent info on
>> filtering bridges.
>>
>> The setup is pretty simple: fxp0 is external and
fxp1 is internal.
>>
>> # rc.conf
>> cloned_interfaces="bridge0"
>> ifconfig_bridge0="addm fxp0 addm fxp1
64.45.160.194/28 up"
>> ifconfig_fxp0="up"
>> ifconfig_fxp1="up"
>>
>> Question 1: In the Handbook section on bridging, it
says that if you
>> need to setup an ip address, you should put it on
the bridge interface
>> (bridge0).  But in the OpenBSD docs on filtering
bridges, they say to
>> put it on the inside interface.  What are the
consequences of doing it
>> either way?
>>
>> Questions 2: If I use the following pf.conf (should
block everything
>> inbound, but allow everything outbound), I notice
I'm still able to ssh
>> into the bridging firewall itself.  Why isn't that
blocked?  I'm
>> guessing it's a consequence of the fact that I put
an ip address on the
>> bridging interface, but I'm not sure.  What am I
missing?
>>
>> # pf.conf
>>
>> # interfaces
>> ext_if="fxp0"
>> int_if="fxp1"
>>
>> # options
>> set skip on lo0
>> set block-policy drop
>>
>> # normalization
>> scrub in on $ext_if all
>> scrub out on $ext_if random-id
>>
>> # external interface, inbound
>> # default is to block all inbound on external
interface
>> block in log on $ext_if all
>>
>> # external interface, outbound
>> block out log on $ext_if all
>> pass out on $ext_if proto tcp all flags S/SA keep
state
>> pass out on $ext_if proto { udp, icmp } all keep
state
>>
>> # internal interface, inbound
>> pass in on $int_if all
>>
>> # internal interface, outbound
>> pass out on $int_if all
>>
>>
>> Richard Coleman
>> rcolemancriticalmagic.com
>> _______________________________________________
>> freebsd-pffreebsd.org mailing list
>> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
>>
>>     
>
> Hi Richard;
> The first question I don't know, but the second I
know.
> You are blocking everything:
> block in log on $ext_if all
> block out log on $ext_if all
> But here:
> pass out on $ext_if proto tcp all flags S/SA keep
state
> pass out on $ext_if proto { udp, icmp } all keep state
> All the traffic going out are allowed and PF read all
rules unless you
> use quick to stop.
> See here:
> http:
//www.openbsd.org/faq/pf/filter.html#intro
>
>
>   
There are no pass rules for inbound on the external
interface.  So the 
initial "block in" should win for inbound on the
external interface.  
But I'm still able to still remotely ssh into the bridge
from outside 
the company.  If this was a routing firewall, I'm pretty
sure it would 
block the connection.  I think it's something unique to
bridging firewalls.

rc
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Andrew Thompson wrote:
> On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard
Coleman wrote:
>   
>> Andrew Thompson wrote:
>>     
>>> On Sun, Sep 16, 2007 at 10:36:41PM -0400,
Richard Coleman wrote:
>>>  
>>>       
>>>> Question 1: In the Handbook section on
bridging, it says that if you 
>>>> need to setup an ip address, you should put
it on the bridge interface 
>>>> (bridge0).  But in the OpenBSD docs on
filtering bridges, they say to 
>>>> put it on the inside interface.  What are
the consequences of doing it 
>>>> either way?
>>>>    
>>>>         
>>> OpenBSD does not support adding an IP address
to a bridge interface so
>>> they do not have a choice here. Assigning the
IP to the bridge is the
>>> correct way do to it as it is the central piece
of the setup.
>>>
>>>  
>>>       
>>>> Questions 2: If I use the following pf.conf
(should block everything 
>>>> inbound, but allow everything outbound), I
notice I'm still able to ssh 
>>>> into the bridging firewall itself.  Why
isn't that blocked?  I'm 
>>>> guessing it's a consequence of the fact
that I put an ip address on the 
>>>> bridging interface, but I'm not sure.  What
am I missing?
>>>>
>>>>    
>>>>         
>>> This is because the _bridge_ is the interface
that the packet arrives
>>> on. Think if the bridge as a fully functioning
interface, what you need
>>> is:
>>>
>>> bridge_if="bridge0"
>>> block in log on $bridge_if all
>>>
>>>
>>> regards,
>>> Andrew
>>>  
>>>       
>> I was confused because the if_bridge(4) man page
(for 6.2) says that 
>> traffic always passes first through the originating
interface (which I 
>> took to be the external physical interface), then
passes through the 
>> bridge interface, and then through all appropriate
outbound interfaces.  
>> So I assumed a block rules for the first physical
interface would 
>> prevent the packet from every reaching the bridge
interface.
>>
>> Given that wording, I was confused why you would
ever need to filter on 
>> the bridge interface itself.
>>     
>
> I see where the confusion comes in then. That
particular section refers
> to the bridge forwarding packets, anything that is
destined for the
> local host is tapped off early and handled specially. I
welcome any
> wording changes on the man page.
>
>
> cheers,
> Andrew
>   
That greatly clarifies things.  Thanks for the help.

Richard Coleman
rcolemancriticalmagic.com
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Tue, Oct 02, 2007 at 11:01:27AM +0300, Tobias Ernst
wrote:
> Dear members of this list,
> 
> Recently, it was stated here by Andrew Thompson that
> 
> > anything that is destined for the
> > local host is tapped off early and handled
specially. 
> 
> This referred to the fact that packets passing through
a bridging
> firewall can be filtered on the individual
inbound/outbound interfaces,
> but packets destined for the bridging firewall (that
has assigned an ip
> address to the bridge interface) can only be filtered
on the bridge
> interface.
> 
> I have now run into a problem with this. I am setting
up a routing
> firewall with several DMZ, but for various reasons the
DMZ use the same
> IP range as the internal net. I.e., the DMZ are bridged
to the internal
> net, and the entire IP subnet is then routed to the
external world.
> 
[...]
> 
> However, the above rules do not match packets sent from
a machine with
> an illegal IP in the DMZ and destined for the firewall,
because those
> packets only appear on bridge0. However, when I filter
the packets on
> bridge0, I have no idea whether they arrived on the DMZ
interface or on
> the internal interface.
> 
> Is there any other possibility of finding out which
member of a bridge
> an inbound packet has arrived on?

Yes, a new option was added to HEAD that allows this
(pfil_local_phys),
it adds an additional packet filter call on the member
interface for
local packets.

> P.S.: FreeBSD 6.2-RELEASE

Its not in 6.2 unfortunately but will be MFC'd in time for
6.3


Andrew
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Andrew Thompson schrieb:

> Yes, a new option was added to HEAD that allows this
(pfil_local_phys),
> it adds an additional packet filter call on the member
interface for
> local packets.

> Its not in 6.2 unfortunately but will be MFC'd in time
for 6.3

Thank you very much for your quick and very useful
response.

Hmm, I need to keep "supported" versions of
FreeBSD on this machine. I
would be willing to go to STABLE now and then go back to 6.3
when it
will be released, but going to CURRENT is probably too gross
a violation
of our policy.

I will try the patch from kern/116051 on my 6.2 sources,
though. The
description says that it has been tested on 6.2, and
hopefully 6.3 will
be out by the time my setup goes into production.

Thanks again!

Regards
Tobias

-- 
Universität Stuttgart|Fakultät für Architektur und
Stadtplanung|casinoIT
70174 Stuttgart Geschwister-Scholl-Straße 24D
T +49 (0)711 121-4228             F +49 (0)711 121-4276
E officecasino.uni-stuttgart.de  I http://www.casino.
uni-stuttgart.de
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"