Questions about filtering bridges

Richard Coleman rcoleman at criticalmagic.com
Mon Sep 17 13:38:35 PDT 2007 

Andrew Thompson wrote:
> On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote:
>   
>> I'm setting up a filtering bridge and have a couple questions. 
>> Hopefully someone here can help.  I've looked at all the docs online 
>> (and lots of Google searches) but there isn't much recent info on 
>> filtering bridges.
>>
>> The setup is pretty simple: fxp0 is external and fxp1 is internal.
>>
>> # rc.conf
>> cloned_interfaces="bridge0"
>> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up"
>> ifconfig_fxp0="up"
>> ifconfig_fxp1="up"
>>
>> Question 1: In the Handbook section on bridging, it says that if you 
>> need to setup an ip address, you should put it on the bridge interface 
>> (bridge0).  But in the OpenBSD docs on filtering bridges, they say to 
>> put it on the inside interface.  What are the consequences of doing it 
>> either way?
>>     
>
> OpenBSD does not support adding an IP address to a bridge interface so
> they do not have a choice here. Assigning the IP to the bridge is the
> correct way do to it as it is the central piece of the setup.
>
>   
>> Questions 2: If I use the following pf.conf (should block everything 
>> inbound, but allow everything outbound), I notice I'm still able to ssh 
>> into the bridging firewall itself.  Why isn't that blocked?  I'm 
>> guessing it's a consequence of the fact that I put an ip address on the 
>> bridging interface, but I'm not sure.  What am I missing?
>>
>> # pf.conf
>>
>> # interfaces
>> ext_if="fxp0"
>> int_if="fxp1"
>>
>> # options
>> set skip on lo0
>> set block-policy drop
>>
>> # normalization
>> scrub in on $ext_if all
>> scrub out on $ext_if random-id
>>
>> # external interface, inbound
>> # default is to block all inbound on external interface
>> block in log on $ext_if all
>>     
>
> This is because the _bridge_ is the interface that the packet arrives
> on. Think if the bridge as a fully functioning interface, what you need
> is:
>
> bridge_if="bridge0"
> block in log on $bridge_if all
>
>
> regards,
> Andrew
>   
I was confused because the if_bridge(4) man page (for 6.2) says that 
traffic always passes first through the originating interface (which I 
took to be the external physical interface), then passes through the 
bridge interface, and then through all appropriate outbound interfaces.  
So I assumed a block rules for the first physical interface would 
prevent the packet from every reaching the bridge interface.

Given that wording, I was confused why you would ever need to filter on 
the bridge interface itself.

Thanks for the help.

Richard Coleman
rcoleman at criticalmagic.com

More information about the freebsd-pf mailing list