Hello misc,
I noticed a strange behaviour with pf, when having three interfaces
connected with a bridge(4) device, where two are assigned to the group
wlan and one to no group at all. I have two WLAN interfaces, athn0 and
athn1, and three wired interfaces, re0 to re2. (re2 is not used ATM.)
re0 is connected to my ISP router, re1 to a switch to provide NAT and
DHCP for my LAN. However, if re1 is not assigned to any group, DHCP
requests will be blocked by pf, and those from athnN will pass.
Here is the output of ifconfig (with re1 being in the "test" group, so
that DHCP is working for my client):
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
priority: 0
groups: lo
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:3f:e2:e4
priority: 0
groups: external egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:0d:b9:3f:e2:e5
priority: 0
groups: test
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
re2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:3f:e2:e6
priority: 0
media: Ethernet autoselect (10baseT half-duplex)
status: no carrier
athn0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 04:f0:21:17:36:e4
priority: 4
groups: wlan
media: IEEE802.11 autoselect (autoselect mode 11a hostap)
status: active
ieee80211: nwid obsd50 chan 44 bssid 04:f0:21:17:36:e4 wpakey
<not displayed> wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp
wpagroupcipher tkip
athn1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 04:f0:21:17:40:76
priority: 4
groups: wlan
media: IEEE802.11 autoselect (autoselect mode 11g hostap)
status: active
ieee80211: nwid obsd24 chan 1 bssid 04:f0:21:17:40:76 wpakey
<not displayed> wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp
wpagroupcipher tkip
enc0: flags=0<>
priority: 0
groups: enc
status: active
vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d0:fa:76
priority: 0
groups: vether internal
media: Ethernet autoselect
status: active
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
bridge0: flags=41<UP,RUNNING>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
re1 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
athn0 flags=3<LEARNING,DISCOVER>
port 4 ifpriority 0 ifcost 0
athn1 flags=3<LEARNING,DISCOVER>
port 5 ifp
vether0 flags=3<LEARNING,DISCOVER>
port 8 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
priority: 0
groups: pflog
In the hostname.athnN files, there is:
# cat /etc/hostname.athn0
media autoselect mode 11a mediaopt hostap
chan CHAN
nwid NWID
wpakey WPAKEY
up
My pf rules file:
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
### some macros ###
client_out = "{ ssh, domain, imap, imaps, auth, nntp, http, https,
cvspserver, submission }"
udp_services = "{ ssh, domain, ntp, bootps, bootpc }"
icmp_types = "{ echoreq, echorep, unreach }"
### clean network traffic ###
set skip on lo
match in scrub (no-df max-mss 1440)
antispoof quick for { external, internal }
### bruteforce table ###
table <bruteforce> persist
block drop quick from <bruteforce>
### icmp rules ###
pass quick log (all) inet proto icmp all icmp-type $icmp_types
### block all by default ###
block drop log
block return log (all) from internal:network
### high priority for dns requests ###
match out proto { tcp, udp } to port domain set prio (6, 7)
### rules for firewall ###
# allow dns requests
pass quick on external inet proto { tcp, udp } from self to port domain
pass quick inet proto { tcp, udp } to port domain
# allow incoming ssh connections with bruteforce protection
pass quick log inet proto { tcp, udp } to 192.168.0.10 port ssh keep
state \
(max-src-conn 15, max-src-conn-rate 3/15, overload <bruteforce> flush
global)
### rules for internal network ###
pass inet proto { tcp, udp } from internal:network to port $udp_services
pass inet proto udp from internal:network to port 33433:33626
pass inet proto tcp from internal:network to port $client_out
### nat from internal network ###
match out on external inet from internal:network to any nat-to (external:0)
So, if I specify a group for re1, everything is working as expected.
However, if re1 is not a member of any group, DHCP request are blocked
by pf, as tcpdump shows. Is this intended behaviour? Or have I done
something wrong in my ruleset?
Best regards,
Clemens
PS: please cc me, I read this list on a website only.
