Possible bug in PF with if_bridge
Andrew Thompson
thompsa at freebsd.org
Tue Dec 13 11:56:55 PST 2005
On Tue, Dec 13, 2005 at 06:07:46PM +0100, Michiel Kranenburg wrote:
> Hello all,
>
>
> I may have found a bug in PF (in combination with if_bridge) for
> FreeBSD6.0-RELEASE.
>
>
> The weird thing occurs when using PF to filter the bridge.
> Let me post my pf.conf first: (I did not post the declaration of variables
> on top of the conf)
>
> ---------------------------------------------
> scrub in all
>
> block in log on bridge0 from any to $mynet
> block return-rst in log on bridge0 proto tcp from any to $mynet
>
> pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state
> pass out on bridge0 proto {tcp,udp} from $mynet to any keep state
>
> pass on lo0 all
[...]
>
> Now comes the strange part:
>
> Behind $web and $mail are running SSH-servers. As defined by the rules, I
> don't want to allow any connection from the outside to the SSH-servers.
> BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and
> some _dont_ (as it supposed to be).
You should probably be filtering on the member interfaces rather than
bridge0 if you are doing keep-state.
bridge0 has no direction so packets travelling in one direction look the
same a the reverse path, this may be tripping up with stateful rules.
Can you try changing your pf rules to filter on xl1 and xl2 and see if
you get the same behaviour.
p.s 6.0-RELEASE has a mbuf leak with if_bridge(4)+pfil(9), you may want
to go to RELENG_6
cheers,
Andrew
More information about the freebsd-pf
mailing list