FreeBSD bridge + filtering, BIG problem
cmoulin at simplerezo.com
Tue Nov 30 20:52:04 PST 2004
I'm afraid about having find a freebsd 5X security issue.
We have recently upgraded one gateway from 4.10 to 5.3... Following network
On fw01, we have one jail.
So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before
and after upgrade).
On 4.10, we used IPFilter as firewall and for network traffic accounting.
Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING
Thinking this can be a ipfilter issue, and because we are planning to change
for great OpenBSD pf, we have try to do accounting with pf... but same
behaviour occurs (tests have be done with big files).
From/to inet fw01 jail sr01 sr02
Internet - ok ok KO KO
Fw01 ok - ok ok ok
Jail ok ok - ok ok
Sr01 KO* ok ok - KO
Sr02 KO* ok ok KO -
* with pf enabled, scp connexion going "stalled" very quickly (stop between
100 and 300 Kb of traffic)
Worst thing, the "default rule" accounting (any to any) does not report
"unreported" traffic... feels like rules are not processed. So I deciding to
make another test with pf.
Adding "block in quick proto tcp from any to [jail_port] port smtp";
Testing: works fine.
But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
from internet, fw01 or sr02, we can connect to the tcp port
!!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with
fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge,
nullfs and pf.
Sr01: FreeBSD 5.2.1, custom kernel
Sr02: FreeBSD 5.3, GENERIC kernel
set loginterface fxp1
#block in quick proto tcp from any to $sr01 port smtp
pass quick from any to $jail keep state label 0
pass quick from $jail to any keep state label 1
pass quick from any to $sr02 keep state label 6
pass quick from $sr02 to any keep state label 7
pass quick from any to $sr01 keep state label 10
pass quick from $sr01 to any keep state label 11
Seems to be bridge freebsd 5.3 support related...
Can someone take a look at this? Thanks!
SimpleRezo - Simplifiez-vous le réseau !
Tél.: +33 871 763 102 - Web: http://www.simplerezo.com/
More information about the freebsd-pf