FreeBSD bridge + filtering, BIG problem

Clément MOULIN cmoulin at simplerezo.com
Tue Nov 30 20:52:04 PST 2004 

Hi,

I'm afraid about having find a freebsd 5X security issue.

We have recently upgraded one gateway from 4.10 to 5.3... Following network
used:
 
[ISP]--xl1--[FW01]-----xl0--em0--[SR01]
                    |
                    |--fxp0--em0--[SR02]

On fw01, we have one jail.
 
So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before
and after upgrade).
On 4.10, we used IPFilter as firewall and for network traffic accounting.
Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING
working fine)...

Thinking this can be a ipfilter issue, and because we are planning to change
for great OpenBSD pf, we have try to do accounting with pf... but same
behaviour occurs (tests have be done with big files).

From/to	inet	fw01	jail	sr01	sr02
Internet	-	ok	ok	KO	KO
Fw01		ok	-	ok	ok	ok
Jail		ok	ok	-	ok	ok
Sr01		KO*	ok	ok	-	KO
Sr02		KO*	ok	ok	KO	-

* with pf enabled, scp connexion going "stalled" very quickly (stop between
100 and 300 Kb of traffic)


Worst thing, the "default rule" accounting (any to any) does not report
"unreported" traffic... feels like rules are not processed. So I deciding to
make another test with pf.

Adding "block in quick proto tcp from any to [jail_port] port smtp";
Testing: works fine.
But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
from internet, fw01 or sr02, we can connect to the tcp port
!!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with
IPF!!!!!!!!



Details
fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge,
nullfs and pf.
Sr01: FreeBSD 5.2.1, custom kernel
Sr02: FreeBSD 5.3, GENERIC kernel

------------------------------------pf.conf
set loginterface fxp1

jail=**IP**
sr01=**IP**
sr02=**IP**

#block in quick proto tcp from any to $sr01 port smtp

pass quick from any to $jail keep state label 0
pass quick from $jail to any keep state label 1
pass quick from any to $sr02 keep state label 6
pass quick from $sr02 to any keep state label 7
pass quick from any to $sr01 keep state label 10
pass quick from $sr01 to any keep state label 11

pass all
------------------------------------


Seems to be bridge freebsd 5.3 support related... 
Can someone take a look at this? Thanks!


--
Clément Moulin
SimpleRezo - Simplifiez-vous le réseau !
Tél.: +33 871 763 102 - Web: http://www.simplerezo.com/

More information about the freebsd-questions mailing list