Filtering bridge plus router - further interface woes

Tobias Ernst tobi at casino.uni-stuttgart.de
Mon Oct 8 03:48:51 PDT 2007 

Dear list,

I have now applied the phys_local_phys patch on 6.2, which does its job
for inbound packets to the local firewall, but I am still not able to
see outbound packets on the physical interfaces.

As a reminder, my firewall is bridging between various logical segments
of our internal net, which consists of only 1 IP subnet, and is also
acting as a router for the entire external net:

bridge0 = em0, em1 (various logical segments of our internal net)
bridge0 has IP x.x.x.254 (gateway for our internal net)

em2 is the external interface and has IP x.x.y.123

I used "log-all" type rules to find out which interfaces the packets run
through from pf's perspective.

Let's consider a ssh connection from an outside computer O connected to
em2 to an inside computer I connected to em0.

Packets from O to I will appear, in order, on the interfaces
em2, bridge0
Packets from I to O will appear, in order, on the interfaces
em0, bridge0, em2

What I would like to have is to see the packet from O to I also on em0,
and I would not like to see bridge0 /at all/.

I have played around with the other sysctl variables. It turnes out,
that setting pfil_bridge to 0 makes "em2" disappear from the list above,
but bridge 0 remains, which I think is counter-intuitive or maybe even a
bug. Setting pfil_member to 0 does not make any difference.

Are there any further patches from -CURRENT that would make such a
behaviour possible?

Also, I wonder whether I could use "synproxy state" for connections from
O to I. I know that "synproxy state" does not work for bridges, but
those packets are arriving on em2 which is not member of the bridge and
are then being routed before being put on the bridge, so there should be
a possibility for proxying. However, packets still don't get through
when I change a "keep state" rule to "synproxy state".

TIA

Regards
Tobias

-- 
Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT
70174 Stuttgart Geschwister-Scholl-Straße 24D
T +49 (0)711 121-4228             F +49 (0)711 121-4276
E office at casino.uni-stuttgart.de  I http://www.casino.uni-stuttgart.de

More information about the freebsd-pf mailing list