OpenBSD's PF with a bridge on FreeBSD 6.x

Bruce A. Mah bmah at freebsd.org
Tue Nov 29 02:12:09 GMT 2005 

If memory serves me right, Michiel Kranenburg wrote:

> I’m currently running FreeBSD 6.0-RELEASE. 
> 
> I have 2 ethernet-cards running in promisc mode that should bridge my ISP
> modem with my switch.
> 
> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>         options=9<RXCSUM,VLAN_MTU>
>         inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 scopeid 0x1
>         inet 145.99.138.82 netmask 0xfffffff0 broadcast 145.99.138.95
>         inet 145.99.138.83 netmask 0xfffffff0 broadcast 145.99.138.95
>         ether 00:01:02:09:84:f3
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> xl2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>         options=9<RXCSUM,VLAN_MTU>
>         inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 scopeid 0x3
>         ether 00:50:04:55:28:52
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active

Are you doing bridge(4) or if_bridge(4)?  For 6.0, I highly recommend
the latter; the integration with packet filters (such as PF) works out a
lot better.  To wit:  with if_bridge(4), your physical interfaces xl0
and xl2 are unnumbered and you assign IPv4/IPv6 addresses to a new
pseudo-interface bridge0.  You can use PF rules on bridge0 to filter
packets addressed to/from the bridging machine.  You can also define PF
rules on the physical interfaces to filter packets passing through the
bridge.

I believe that bridge(4) is deprecated in 6.X and will be removed in
7.X.

> Currently this is my situation:
> 
> ( Internet (/28) )  <->  ( xl0 ) <bridge> ( xl2 )  <->  ( switchs )  <->  (
> clients )
> 
> The problem is that I want PF (OpenBSD’s Packet Filter) to firewall my
> server and the bridge (for the clients).
> The packet filter works great for the server, it handles packets that are
> defined in the ruleset perfectly.
> 
> The real problem relies on filtering the bridge, PF passes all traffic too
> the bridge _even_ when some kind of traffic is blocked on xl0. (So it
> shouldn’t be on the network anyway)
> 
> Can someone help me to get filtering on de bridge to work?

I'm doing something similar to this with no problems, using PF and
if_bridge(4).

Where is your "server" in the ASCII art above?  You might need to give
some more details (such as the ruleset you're using).

If you use if_bridge, you want to make sure that both of the
net.link.bridge.pfil_bridge and net.link.bridge.pfil_member sysctl
variables are set to 1.  (Or at least something non-zero?)  Finally you
might want to look at the 6.0 errata for an item about a kernel memory
leak when running if_bridge with a packet filter.

Good luck,

Bruce.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20051128/4b3efbf2/attachment.bin

More information about the freebsd-pf mailing list