packet filter problem on transparent firewall using bridge and pf
ProAce
proace at gmail.com
Wed Jun 20 09:27:58 UTC 2012
I have some trouble with pf on freebsd bridge.
Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )
Bridge Network: 10.1.1.0/24
bridge0 IP: 10.1.1.1 ( freebsd's ip )
default gw: 10.1.1.254 ( in untrust area )
server: 10.1.1.101 ~ 200 ( in trust area )
pf.conf on freebsd
serv1="10.1.1.101"
client1="10.1.6.73"
block in all
block out all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on bridge0 from 10.1.1.0/24 to any
pass out quick on bridge0 from 10.1.1.0/24 to any
pass in quick on bridge0 from $client1 to 10.1.1.1
pass in quick on bridge0 from $client1 to $serv1
When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( 10.1.1.1 ) successfully
4. gw connect to freebsd ( 10.1.1.1 ) successfully
If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?
The following is some description of the bridge topology.
Freebsd and server are vmware guest in the vmware ESXi.
The ESXi has two virtual switchs,
vSw1: connect to untrust
vSw2: interconnect with freebsd and servers
freebsd has tow vNICs,
em0: connect to vSw1
em1: connect to vSw2.
servers has only one vNIC,
em0: connect to vSw2
freebsd's rc.conf
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 10.1.1.1 netmask 255.255.255.0 addm em0 addm em1 up"
ifconfig_em0="up"
ifconfig_em1="up"
pf_enable="YES"
pf_rules="/etc/pf.conf"
freebsd's sysctl
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
More information about the freebsd-questions
mailing list