Gilberto Villani Brito wrote:
On 16/09/2007, Richard Coleman <[EMAIL PROTECTED]> wrote:
I'm setting up a filtering bridge and have a couple questions.
Hopefully someone here can help. I've looked at all the docs online
(and lots of Google searches) but there isn't much recent info on
filtering bridges.
The setup is pretty simple: fxp0 is external and fxp1 is internal.
# rc.conf
cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up"
ifconfig_fxp0="up"
ifconfig_fxp1="up"
Question 1: In the Handbook section on bridging, it says that if you
need to setup an ip address, you should put it on the bridge interface
(bridge0). But in the OpenBSD docs on filtering bridges, they say to
put it on the inside interface. What are the consequences of doing it
either way?
Questions 2: If I use the following pf.conf (should block everything
inbound, but allow everything outbound), I notice I'm still able to ssh
into the bridging firewall itself. Why isn't that blocked? I'm
guessing it's a consequence of the fact that I put an ip address on the
bridging interface, but I'm not sure. What am I missing?
# pf.conf
# interfaces
ext_if="fxp0"
int_if="fxp1"
# options
set skip on lo0
set block-policy drop
# normalization
scrub in on $ext_if all
scrub out on $ext_if random-id
# external interface, inbound
# default is to block all inbound on external interface
block in log on $ext_if all
# external interface, outbound
block out log on $ext_if all
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
# internal interface, inbound
pass in on $int_if all
# internal interface, outbound
pass out on $int_if all
Richard Coleman
[EMAIL PROTECTED]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Hi Richard;
The first question I don't know, but the second I know.
You are blocking everything:
block in log on $ext_if all
block out log on $ext_if all
But here:
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
All the traffic going out are allowed and PF read all rules unless you
use quick to stop.
See here:
http://www.openbsd.org/faq/pf/filter.html#intro
There are no pass rules for inbound on the external interface. So the
initial "block in" should win for inbound on the external interface.
But I'm still able to still remotely ssh into the bridge from outside
the company. If this was a routing firewall, I'm pretty sure it would
block the connection. I think it's something unique to bridging firewalls.
rc
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
