Re: FreeBSD 14 Firewall Passes ALL traffic!
- In reply to: Dan Lists : "Re: FreeBSD 14 Firewall Passes ALL traffic!"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 08 Aug 2025 17:09:45 UTC
On Fri, Aug 8, 2025 at 11:51 AM Dan Lists <lists.dan@gmail.com> wrote: > On Fri, Aug 8, 2025 at 11:38 AM Souji Thenria <mail@souji-thenria.net> > wrote: > >> >> On 8. Aug 2025, at 18:13, Dan Lists <lists.dan@gmail.com> wrote: >> >> >> We have a transparent (bridged) firewall that we have been using since >> around 2015, maybe earlier. >> >> After upgrading to FreeBSD 14 the firewall passes all traffic across the >> bridge! That is obviously VERY bad. >> >> The firewall does block traffic to the server itself, but not traffic >> passing on the bridge interface. >> >> I've tested the exact same rules on FreeBSD 12 and 13 and they work >> fine. I verified that the rules are the same, as well and the loaded >> kernel modules. I tried 14.0, 14.2, and 14.3 and all of them pass all >> traffic on the bridge interface. >> >> I looked at the release notes and I did not see anything that would cause >> this. >> >> I am at a loss on how to debug this. >> >> Please Help! >> >> Thanks >> >> >> >> Hi Dan, >> >> I hope this mail is not that badly formatted since I’m writing it on my >> phone. >> >> There was a change. There is also a post in the FreeBSD forum [0]. Based >> on that you need to set sysctl net.link.bridge.pfil_bridge=1. >> >> Regards, >> Souji >> >> [0] >> https://forums.freebsd.org/threads/pf-rule-not-working-after-upgrade-to-14-0.93874/ >> > > Sorry, I should have mentioned that I've tried setting that and it still > doesn't work. > > I've tried some random things, and the problem seems to be using 'via > <interface>'. > > I have outside em1 <--> bridge0 <--> em2 outside. > > I have rules like "ipfw add deny log tcp from any to IP in via em1". The > idea is that I can block incoming traffic but allow outbound connections > with state. If I remove "in via em1" or change it to "[in] via bridge0" it > blocks incoming traffic but does not allow outbound traffic from IP. > > Just found some weird log entries: Aug 8 11:37:18 hostname kernel: bridge0: mac address 00:11:22:33:44:55 vlan 50 moved from em2 to em1 Aug 8 11:37:18 hostname kernel: bridge0: mac address 00:11:22:33:44:55 vlan 50 moved from em1 to em2 Doesn't seem related, but it is weird.