Dom De Vitto wrote:
Problem
I've a filtering bridge, which connects in/out to another firewall
(yea, yea, paranoid I know) and the local lan.
I run snort on the various bits of network cable, watching the outside
and inside bridges, and cross-correlating.
My problem appears to be that there is only one state table in the
kernel for all PF connections, and so I need to ensure that only one
interface creates state table entries.
Hmmm. I'll explain by flow:
1) I send a tcp SYN from my PC to my PF-bridge on fxp0 (bridge0).
2) The bridge sends this to my firewall on fxp1 (bridge0).
3) The firewall sends this on to the PF-bridge on fxp2 (bridge1).
4) The bridge sends this to my gateway out of fxp3 (bridge1).
Now I can add pass rules, without keep state, on anywhere, but if I
put a keep state on an i/f on bridge0, naturally it sees the same
packet on bridge1 and drops it, because it's expecting a reply, not
a duplicate.
Does this sound "right", and does anyone know how I can get around
it? I'd like to keep state on all rules, if possible.
You're right, 2 bridges on the same machine cannot work with PF.
That was discussed before, without conclusive solution.
I was in favor of tying states to interfaces, but there was objections.
Maybee we need a keyword like "lock" or "attach" or "tie" to attach
a state to a given interface, which would solve your problem (and
other problems)
Cedric
