Re: FreeBSD 14 Firewall Passes ALL traffic!
- Reply: Dan Lists : "Re: FreeBSD 14 Firewall Passes ALL traffic!"
- In reply to: Souji Thenria: "Re: FreeBSD 14 Firewall Passes ALL traffic!"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 11 Aug 2025 14:40:36 UTC
On Fri, Aug 8, 2025 at 4:22 PM Souji Thenria <mail@souji-thenria.net> wrote: > On Fri Aug 8, 2025 at 6:51 PM CEST, Dan Lists wrote: > > On Fri, Aug 8, 2025 at 11:38 AM Souji Thenria <mail@souji-thenria.net> > > wrote: > > > >> > >> On 8. Aug 2025, at 18:13, Dan Lists <lists.dan@gmail.com> wrote: > >> > >> > >> We have a transparent (bridged) firewall that we have been using since > >> around 2015, maybe earlier. > >> > >> After upgrading to FreeBSD 14 the firewall passes all traffic across the > >> bridge! That is obviously VERY bad. > >> > >> The firewall does block traffic to the server itself, but not traffic > >> passing on the bridge interface. > >> > >> I've tested the exact same rules on FreeBSD 12 and 13 and they work > fine. > >> I verified that the rules are the same, as well and the loaded kernel > >> modules. I tried 14.0, 14.2, and 14.3 and all of them pass all traffic > on > >> the bridge interface. > >> > >> I looked at the release notes and I did not see anything that would > cause > >> this. > >> > >> I am at a loss on how to debug this. > >> > >> Please Help! > >> > >> Thanks > >> > >> > >> > >> Hi Dan, > >> > >> I hope this mail is not that badly formatted since I’m writing it on my > >> phone. > >> > >> There was a change. There is also a post in the FreeBSD forum [0]. Based > >> on that you need to set sysctl net.link.bridge.pfil_bridge=1. > >> > >> Regards, > >> Souji > >> > >> [0] > >> > https://forums.freebsd.org/threads/pf-rule-not-working-after-upgrade-to-14-0.93874/ > >> > > > > Sorry, I should have mentioned that I've tried setting that and it still > > doesn't work. > > > > I've tried some random things, and the problem seems to be using 'via > > <interface>'. > > > > I have outside em1 <--> bridge0 <--> em2 outside. > > > > I have rules like "ipfw add deny log tcp from any to IP in via em1". > The > > idea is that I can block incoming traffic but allow outbound connections > > with state. If I remove "in via em1" or change it to "[in] via bridge0" > it > > blocks incoming traffic but does not allow outbound traffic from IP. > > I'm not familiar with ipfw. However, if I understand you correctly, your > firewall is not acting on the bridge interface itself, but rather on > both "real" interfaces. I feel like this should be fairly > straightforward. > > Maybe you can post your firewall rules here, and someone with more > experience with ipfw can help. > > -- > Souji Thenria > Website: www.souji-thenria.net A stripped down version of the rules is attached. I have been using essentially the same rules since FreeBSD 10, maybe 15+ years. I have tried the exact same rule set on FreeBSD 12, 13, and 14. With FreeBSD 14, anywhere in the world can connect to 12.34.56.78 on port 443. If I change 'in via em1' to 'recv em1' it blocks incoming traffic but does not allow outbound traffic with state. This is a change from previous behavior. I'm not sure if it was intended or a consequence of some other change. I'd like some help figuring out how to solve the problem. Thanks again.