in fact one_pass does not work with bridging,
it might be as simple as changing one line in bridge.c
if (ip_fw_chk_ptr && bdg_ipfw != 0 && src != NULL) {
struct ip *ip ;
int i;
- if (rule != NULL) /* dummynet packet, already partially processed */
+ if (rule != NULL && fw_one_pass)
goto forward; /* HACK! I should obey the fw_one_pass */
but i never had a chance to test it.
If you want to give this a try, I'd be glad to know how it works.
cheers
luigi
> Hi. I've got a filtering bridge running on FreeBSD 4.3 with ipfw and
> a customized rc.firewall config. The setup has been working well for
> a while now. I was unfortunately alerted to a hole after a box behind
> the firewall was cracked because ports that I thought were
> protected...weren't.
>
> It turns out that traffic to/from the machine in question was being
> passed through a pipe early in the rc.firewall config, and that the
> ipfw processing terminated when the packets came out of the pipe, so
> they never saw the rules farther down that would have dropped those
> packets headed for bad places.
>
> A-ha! "Easy" you say - just do
> sysctl -w net.inet.ip.fw.one_pass=0
> and according to the ipfw man page, that will cause the packets to be
> re-injected into the firewall when they come out of the pipe, starting
> where they left off. Well, this just doesn't seem to be taking
> effect!
>
> I've crawled through docs and mailing lists. Setting
> net.inet.ip.fw.one_pass seems to be the common solution, but a few
> other people have mentioned the same ineffectiveness of that, and then
> those threads just drop off. So I'm wondering if it's possible that,
> because the kernel is compiled with "options BRIDGE", that packets are
> strictly only going through the firewall rules once, and that
> net.inet.ip.fw.one_pass=0 isn't having an effect in this case?
>
> If my wondering is in error, I'm looking for suggestions about how to
> verify the behavior I'm seeing and how to achieve the desired result: to
> use pipes AND deny rules that come after. I'm happy to send along the
> particular rules, but wanted to see if the question could be answered
> using theory first.
>
> (This message addresses an issue similar to but separate from the "ipfw"
> thread on freebsd-questions started by Rick Norman on Sep 18. I also
> posted this message there.)
>
> Any help is much appreciated.
>
> Thanks,
> Chris
>
> -- Chris Hardie -----------------------------
> ----- mailto:[EMAIL PROTECTED] ----------
> -------- http://www.summersault.com/chris/ --
>
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-hackers" in the body of the message
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
