On Fri, Jul 18, 2003 at 12:23:51PM +0200, Uwe Reiher wrote: > Hello everyone, > > i have an 3-legged openbsd-bridge to protect my servers from outside. 2 > nics are bridged, the 3rd has an private ip and is for the admin stuff. > > <wan router>----<sis0 bridge ne3>----<switch>----<server1> > ep1 > | > | > <internal network> > > What i found is that every dropped or rejected packet from sis0 comes > out to ep1, but reverse. My question is - what do i wrong in this setup?
I assume you didn't assign any addresses to sis0 and ne3, but have an address on ep1 and a default route through ep1 (or the address/netmask for ep1 includes <wan router> and <server1>). When pf generates a packet (like for return-rst/-icmp, which you are using through 'set block-policy return'), it passes it to the TCP/IP stack for delivery. The stack consults the routing table to decide what interface to send the packet out through (based on the destination IP address). Without addresses/netmasks on sis0/ne3, there are no routing table entries for <wan router> and <server1>, and the stack is sending the TCP RSTs and ICMP errors generated by pf out through the default route, which I guess is ep1 in your setup (ifconfig -a, route -n show). I assume that's what you meant with "but reverse", you're seeing the pf generated replies to blocked packets (and not the blocked packets themselves). Either disable return-rst/-icmp, or add routing table entries for hosts you want to send block replies to. If you have separate networks (unique netblocks) on the sis0 and ne3 sides, the simplest solution is to assign an address in the respective netblock to sis0 and ne3, just for this purpose. Daniel
