Questions about filtering bridges

[Andrew Thompson]

On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote:
> I'm setting up a filtering bridge and have a couple questions. 
> Hopefully someone here can help.  I've looked at all the docs online 
> (and lots of Google searches) but there isn't much recent info on 
> filtering bridges.
> 
> The setup is pretty simple: fxp0 is external and fxp1 is internal.
> 
> # rc.conf
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm fxp0 addm fxp1 64.45.160.194/28 up"
> ifconfig_fxp0="up"
> ifconfig_fxp1="up"
> 
> Question 1: In the Handbook section on bridging, it says that if you 
> need to setup an ip address, you should put it on the bridge interface 
> (bridge0).  But in the OpenBSD docs on filtering bridges, they say to 
> put it on the inside interface.  What are the consequences of doing it 
> either way?

OpenBSD does not support adding an IP address to a bridge interface so
they do not have a choice here. Assigning the IP to the bridge is the
correct way do to it as it is the central piece of the setup.

> Questions 2: If I use the following pf.conf (should block everything 
> inbound, but allow everything outbound), I notice I'm still able to ssh 
> into the bridging firewall itself.  Why isn't that blocked?  I'm 
> guessing it's a consequence of the fact that I put an ip address on the 
> bridging interface, but I'm not sure.  What am I missing?
> 
> # pf.conf
> 
> # interfaces
> ext_if="fxp0"
> int_if="fxp1"
> 
> # options
> set skip on lo0
> set block-policy drop
> 
> # normalization
> scrub in on $ext_if all
> scrub out on $ext_if random-id
> 
> # external interface, inbound
> # default is to block all inbound on external interface
> block in log on $ext_if all

This is because the _bridge_ is the interface that the packet arrives
on. Think if the bridge as a fully functioning interface, what you need
is:

bridge_if="bridge0"
block in log on $bridge_if all


regards,
Andrew