On Jun 16, 2008, at 8:05 AM, Rene van Hoek wrote:
On Jun 16, 2008, at 7:42 AM, Rene van Hoek wrote:
On Jun 16, 2008, at 5:55 AM, Darren Reed wrote:
Rene van Hoek wrote:
<cut>
<cut>
The output of sysctl net.link.bridge is as follows:
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
According to the FreeBSD manual page IF_BRIDGE(4) (quote):
'net.link.bridge.pfil_member Set to 1 to enable filtering on the
incoming
and outgoing member interfaces, set to 0 to
disable it.
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the
bridge
interface, set to 0 to disable it.
'
Should I set net.link.bridge.pfil_bridge to 0 and
net.link.bridge.pfil_member to 1 ?
Greetings,
Rene van Hoek
Hi,
I setup a test-environment to diagnose this issue.
A FreeBSD 7 RELEASE system with IP Filter: v4.1.28, configured as
bridge:
evil client 192.168.0.105 <-----> xl0 - firewall - xl1 <----> server
192.168.0.207
The network-interfaces configuration is:
$ ifconfig
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=9<RXCSUM,VLAN_MTU>
ether 00:01:03:2a:5a:7b
inet 192.168.0.50 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=9<RXCSUM,VLAN_MTU>
ether 00:0b:db:25:8b:48
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0
mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
mtu 1500
ether b6:7c:78:79:32:55
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: xl1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: xl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
With $ sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
When I now do a ssh connection from 192.168.0.105, the ipfstat -t
output shows two connections with same source-ip,port <--> dest ip,port:
Source IP Destination IP ST PR #pkts
#bytes ttl
192.168.0.105,51128 192.168.0.50,22 4/4 tcp 2736 164096
119:59:59
192.168.0.105,51154 192.168.0.207,22 4/4 tcp 61 6808
119:59:44
192.168.0.105,51154 192.168.0.207,22 4/4 tcp 32 3500
119:59:44
With $ sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
When I now do a ssh connection from 192.168.0.105, the ipfstat -t
output shows one connection with same source-ip,port <--> dest ip,port:
Source IP Destination IP ST PR #pkts
#bytes ttl
192.168.0.105,51128 192.168.0.50,22 4/4 tcp 2877 173220
119:59:59
192.168.0.105,51155 192.168.0.207,22 4/4 tcp 54 6456
119:59:43
So, that is expected behavior :-)
I think it is wise to include this in the documentation or FAQ or
something. It is pretty easy to miss on a busy firewall.
